CVE-2024-35901
net: mana: Fix Rx DMA datasize and skb_over_panic
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix Rx DMA datasize and skb_over_panic
mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be
multiple of 64. So a packet slightly bigger than mtu+14, say 1536,
can be received and cause skb_over_panic.
Sample dmesg:
[ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:<NULL>
[ 5325.243689] ------------[ cut here ]------------
[ 5325.245748] kernel BUG at net/core/skbuff.c:192!
[ 5325.247838] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60
[ 5325.302941] Call Trace:
[ 5325.304389] <IRQ>
[ 5325.315794] ? skb_panic+0x4f/0x60
[ 5325.317457] ? asm_exc_invalid_op+0x1f/0x30
[ 5325.319490] ? skb_panic+0x4f/0x60
[ 5325.321161] skb_put+0x4e/0x50
[ 5325.322670] mana_poll+0x6fa/0xb50 [mana]
[ 5325.324578] __napi_poll+0x33/0x1e0
[ 5325.326328] net_rx_action+0x12e/0x280
As discussed internally, this alignment is not necessary. To fix
this bug, remove it from the code. So oversized packets will be
marked as CQE_RX_TRUNCATED by NIC, and dropped.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: mana: Fix Rx DMA datasize y skb_over_panic mana_get_rxbuf_cfg() alinea el tamaño de datos DMA del buffer RX para que sea múltiplo de 64. Entonces, un paquete ligeramente más grande que mtu+14, digamos 1536, se puede recibir y causar skb_over_panic. Dmesg de muestra: [5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev: [ 689] ----------- -[ cortar aquí ]------------ ¡BUG del kernel [5325.245748] en net/core/skbuff.c:192! [ 5325.247838] código de operación no válido: 0000 [#1] PREEMPT SMP NOPTI [ 5325.258374] RIP: 0010:skb_panic+0x4f/0x60 [ 5325.302941] Seguimiento de llamadas: [ 5325.304389] [ 5325.315794] ? skb_panic+0x4f/0x60 [5325.317457]? asm_exc_invalid_op+0x1f/0x30 [5325.319490]? skb_panic+0x4f/0x60 [ 5325.321161] skb_put+0x4e/0x50 [ 5325.322670] mana_poll+0x6fa/0xb50 [mana] [ 5325.324578] __napi_poll+0x33/0x1e0 [ 5325.326328 ] net_rx_action+0x12e/0x280 Como se analizó internamente, esta alineación no es necesaria. Para corregir este error, elimínelo del código. Por lo tanto, los paquetes de gran tamaño serán marcados como CQE_RX_TRUNCATED por NIC y descartados.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-17 CVE Reserved
- 2024-05-19 CVE Published
- 2024-05-20 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/2fbbd712baf1c60996554326728bbdbef5616e12 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.26" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.4 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.9" | en |
Affected
| ||||||