Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistLinuxCVELIST:CVE-2024-26615
HistoryFeb 29, 2024 - 3:52 p.m.

CVE-2024-26615 net/smc: fix illegal rmb_desc access in SMC-D connection dump

2024-02-2915:52:18
Linux
www.cve.org
1
vulnerability resolved
smc-d connection
crash issue
nginx/wrk test
kernel null pointer dereference
connection close
smc-d connections dump
link group
smc_conn_create()
rmb_desc
smc_buf_create()
illegal access
cve-2024-26615

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix illegal rmb_desc access in SMC-D connection dump

A crash was found when dumping SMC-D connections. It can be reproduced
by following steps:

  • run nginx/wrk test:
    smc_run nginx
    smc_run wrk -t 16 -c 1000 -d <duration> -H ‘Connection: Close’ <URL>

  • continuously dump SMC-D connections in parallel:
    watch -n 1 ‘smcss -D’

BUG: kernel NULL pointer dereference, address: 0000000000000030
CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55
RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x66/0x150
? exc_page_fault+0x69/0x140
? asm_exc_page_fault+0x26/0x30
? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
? __kmalloc_node_track_caller+0x35d/0x430
? __alloc_skb+0x77/0x170
smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320
__netlink_dump_start+0x1dc/0x300
smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5a/0x110
sock_diag_rcv+0x28/0x40
netlink_unicast+0x22a/0x330
netlink_sendmsg+0x1f8/0x420
__sock_sendmsg+0xb0/0xc0
____sys_sendmsg+0x24e/0x300
? copy_msghdr_from_user+0x62/0x80
___sys_sendmsg+0x7c/0xd0
? __do_fault+0x34/0x160
? do_read_fault+0x5f/0x100
? do_fault+0xb0/0x110
? __handle_mm_fault+0x2b0/0x6c0
__sys_sendmsg+0x4d/0x80
do_syscall_64+0x69/0x180
entry_SYSCALL_64_after_hwframe+0x6e/0x76

It is possible that the connection is in process of being established
when we dump it. Assumed that the connection has been registered in a
link group by smc_conn_create() but the rmb_desc has not yet been
initialized by smc_buf_create(), thus causing the illegal access to
conn->rmb_desc. So fix it by checking before dump.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/smc/smc_diag.c"
    ],
    "versions": [
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "27aea6483891",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "1fea9969b81c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "5fed92ca32ea",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "68b888d51ac8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "6994dba06321",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "a164c2922675",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "8f3f9186e5bb",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "4b1b7d3b30a6",
        "lessThan": "dbc153fd3c14",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/smc/smc_diag.c"
    ],
    "versions": [
      {
        "version": "4.19",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.19",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.307",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.269",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.210",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.149",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.76",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.15",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.3",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

prion 1
nvd 1
redhatcve 1
ubuntucve 1
debiancve 1
cve 1
photon 1
almalinux 2
ubuntu 8
osv 18
openvas 15
nessus 23
rocky 2
oraclelinux 1
slackware 1
debian 1
prion
prion
Null pointer dereference
2024-03-11 18:15:00
nvd
nvd
CVE-2024-26615
2024-03-11 18:15:19
redhatcve
redhatcve
CVE-2024-26615
2024-03-01 20:31:59
ubuntucve
ubuntucve
CVE-2024-26615
2024-03-11 00:00:00
debiancve
debiancve
CVE-2024-26615
2024-03-11 18:15:19
cve
cve
CVE-2024-26615
2024-03-11 18:15:19
photon
photon
Important Photon OS Security Update - PHSA-2024-3.0-0738
2024-03-19 00:00:00
almalinux
almalinux
Moderate: kernel-rt security and bug fix update
2024-06-05 00:00:00
Moderate: kernel update
2024-06-05 00:00:00
ubuntu
ubuntu
Linux kernel (BlueField) vulnerabilities
2024-05-14 00:00:00
Linux kernel vulnerabilities
2024-05-07 00:00:00
Linux kernel vulnerabilities
2024-05-15 00:00:00
osv
osv
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp vulnerabilities
2024-05-07 19:36:29
linux-bluefield vulnerabilities
2024-05-14 09:00:08
Moderate: kernel-rt security and bug fix update
2024-06-05 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6767-2)
2024-05-15 00:00:00
Ubuntu: Security Advisory (USN-6767-1)
2024-05-08 00:00:00
Ubuntu: Security Advisory (USN-6766-1)
2024-05-08 00:00:00
nessus
nessus
RHEL 8 : kernel-rt (RHSA-2024:3627)
2024-06-05 00:00:00
Ubuntu 20.04 LTS : Linux kernel (BlueField) vulnerabilities (USN-6767-2)
2024-05-14 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-6767-1)
2024-05-07 00:00:00
rocky
rocky
kernel update
2024-06-14 13:59:16
kernel-rt security and bug fix update
2024-06-14 13:59:36
oraclelinux
oraclelinux
kernel update
2024-06-05 00:00:00
slackware
slackware
[slackware-security] Slackware 15.0 kernel
2024-06-05 19:11:11
debian
debian
[SECURITY] [DSA 5681-1] linux security update
2024-05-06 18:31:39

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.0%

JSON
Related for CVELIST:CVE-2024-26615
prion1nvd1redhatcve1ubuntucve1debiancve1cve1photon1almalinux2ubuntu8osv18openvas15nessus23rocky2oraclelinux1slackware1debian1