{ "threat_severity" : "Moderate", "public_date" : "2024-03-18T00:00:00Z", "bugzilla" : { "description" : "kernel: tcp: add sanity checks to rx zerocopy", "id" : "2270100", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270100" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp: add sanity checks to rx zerocopy\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\nThis patch adds to can_map_frag() these additional checks:\n- Page must not be a compound one.\n- page->mapping must be NULL.\nThis fixes the panic reported by ZhangPeng.\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n0x181e42, 0x0)", "A vulnerability was found in Linux Kernel where rx zerocopy feature allowed mapping of pages owned by the filesystem, leading to potential system panic which is caused by the lack of sanity checks to rx zerocopy. A local authenticated attacker could exploit this vulnerability to cause a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5102", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-08-07T00:00:00Z", "advisory" : "RHSA-2024:5065", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.115.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-08-07T00:00:00Z", "advisory" : "RHSA-2024:5065", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.115.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-08-07T00:00:00Z", "advisory" : "RHSA-2024:5065", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.115.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-08-13T00:00:00Z", "advisory" : "RHSA-2024:5255", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.67.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9497", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.92.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9498", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.92.1.rt14.377.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26640\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26640\nhttps://lore.kernel.org/linux-cve-announce/20240318102117.2839904-11-lee@kernel.org/T" ], "name" : "CVE-2024-26640", "mitigation" : { "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "lang" : "en:us" }, "csaw" : false }