CVE-2024-35890

2024-05-1909:15:10

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

ownership transfer

vulnerability

fixed

nvd

packets

groed

skb_segment_list

destructor

reference

socket

bug

ip6

receive

napi_complete_done

gro_cell_poll

6.5 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

gro: fix ownership transfer

If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can’t be orphaned. Fix this by also removing the reference to the
socket.

For example this could be observed,

kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0

A similar construction is found in skb_gro_receive, apply the same
change there.

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.15–5.15.154

linuxlinux_kernelRange5.16.0–6.1.85

linuxlinux_kernelRange6.2.0–6.6.26

linuxlinux_kernelRange6.7.0–6.8.5

linuxlinux_kernelRange6.9.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/core/gro.c",
      "net/ipv4/udp_offload.c"
    ],
    "versions": [
      {
        "version": "5e10da5385d2",
        "lessThan": "d225b0ac96dc",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5e10da5385d2",
        "lessThan": "2eeab8c47c3c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5e10da5385d2",
        "lessThan": "fc126c1d51e9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5e10da5385d2",
        "lessThan": "5b3b67f73129",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5e10da5385d2",
        "lessThan": "ed4cccef64c1",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/core/gro.c",
      "net/ipv4/udp_offload.c"
    ],
    "versions": [
      {
        "version": "5.15",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.15",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.154",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.85",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.26",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.5",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]