CVE-2024-49978
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
gso: fix udp gso fraglist segmentation after pull from frag_list
Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest.
Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 9fd1ff5d2ac7181844735806b0a703c942365291 < 080e6c9a3908de193a48f646c5ce1bfb15676ffc | affected |
| Linux | Linux | 9fd1ff5d2ac7181844735806b0a703c942365291 < af3122f5fdc0d00581d6e598a668df6bf54c9daa | affected |
| Linux | Linux | 9fd1ff5d2ac7181844735806b0a703c942365291 < 33e28acf42ee863f332a958bfc2f1a284a3659df | affected |
| Linux | Linux | 9fd1ff5d2ac7181844735806b0a703c942365291 < 3cd00d2e3655fad3bda96dc1ebf17b6495f86fea | affected |
| Linux | Linux | 9fd1ff5d2ac7181844735806b0a703c942365291 < a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab | affected |
| Linux | Linux | 5.6 | affected |
| Linux | Linux | 0 < 5.6 | unaffected |
| Linux | Linux | 6.1.113 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.55 <= 6.6.* | unaffected |
| Linux | Linux | 6.10.14 <= 6.10.* | unaffected |
| Linux | Linux | 6.11.3 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc
- https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa
- https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df
- https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea
- https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.