In the Linux kernel, the following vulnerability has been resolved: net:
tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will
cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg
code to move the user provided pages from the msg into the msg_pl. This
will loop over the msg until msg_pl is full, checked by
sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to
delay sending until receiving more pages and ideally a full buffer. If the
user adds more pages to the msg than can fit in the msg_pl scatterlist
(MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways.
What actually happens though is we abort the msg to msg_pl scatterlist
setup and then because we forget to set ‘full record’ indicating we can no
longer consume data without a send we fallthrough to the ‘continue’ path
which will check if msg_data_left(msg) has more bytes to send and then
attempts to fit them in the already full msg_pl. Then next iteration of
sender doing send will encounter a full msg_pl and throw the warning in the
syzbot report. To fix simply check if we have a full_record in splice code
path and if not send the msg regardless of MORE flag.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/dc9dfc8dc629e42f2234e3327b75324ffc752bc9 (6.8-rc1)
git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86
git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8
git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9
launchpad.net/bugs/cve/CVE-2024-35841
nvd.nist.gov/vuln/detail/CVE-2024-35841
security-tracker.debian.org/tracker/CVE-2024-35841
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
www.cve.org/CVERecord?id=CVE-2024-35841