CVE-2024-35890

gro: fix ownership transfer

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

gro: fix ownership transfer

If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can't be orphaned. Fix this by also removing the reference to the
socket.

For example this could be observed,

kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0

A similar construction is found in skb_gro_receive, apply the same
change there.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gro: corrige la transferencia de propiedad. Si los paquetes se agrupan con fraglist, es posible que se segmenten más adelante y continúen su viaje en la pila. En skb_segment_list esos skbs se pueden reutilizar tal cual. Esto es un problema ya que su destructor se eliminó en skb_gro_receive_list pero no la referencia a su socket, y luego no pueden quedar huérfanos. Solucione este problema eliminando también la referencia al socket. Por ejemplo, esto se podría observar, ¡BUG del kernel en include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Seguimiento de llamadas: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1 d2/0x7d0 gro_cell_poll+0x118/0x1f0 Se encuentra una construcción similar en skb_gro_receive, aplique el mismo cambio allí.

A flaw was found in the Linux kernel's Generic Receive Offload (GRO) feature, where packets processed with a fragment list are not properly orphaned due to incorrect handling of socket references. This vulnerability can cause system instability or kernel bugs. The issue has been fixed by making sure that socket references are correctly removed during packet processing. Users should update their kernel to the patched version to mitigate this risk.

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-19 CVE Published
2024-05-20 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/5e10da5385d20c4bae587bc2921e5fdd9655d5fc	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f	2024-04-10
https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad	2024-04-10
https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6	2024-04-10
https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f	2024-04-10
https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486	2024-03-29

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35890	2024-07-09
https://bugzilla.redhat.com/show_bug.cgi?id=2281689	2024-07-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.9"		en		Affected