CVE-2024-35890
gro: fix ownership transfer
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
gro: fix ownership transfer
If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can't be orphaned. Fix this by also removing the reference to the
socket.
For example this could be observed,
kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0
A similar construction is found in skb_gro_receive, apply the same
change there.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gro: corrige la transferencia de propiedad. Si los paquetes se agrupan con fraglist, es posible que se segmenten más adelante y continúen su viaje en la pila. En skb_segment_list esos skbs se pueden reutilizar tal cual. Esto es un problema ya que su destructor se eliminó en skb_gro_receive_list pero no la referencia a su socket, y luego no pueden quedar huérfanos. Solucione este problema eliminando también la referencia al socket. Por ejemplo, esto se podría observar, ¡BUG del kernel en include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Seguimiento de llamadas: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1 d2/0x7d0 gro_cell_poll+0x118/0x1f0 Se encuentra una construcción similar en skb_gro_receive, aplique el mismo cambio allí.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-19 CVE Published
- 2024-05-20 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/5e10da5385d20c4bae587bc2921e5fdd9655d5fc | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-35890 | 2024-07-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2281689 | 2024-07-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.154" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.85" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.26" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.8.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.9" | en |
Affected
| ||||||