{
  "threat_severity" : "Low",
  "public_date" : "2024-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: esp: fix bad handling of pages from page_pool",
    "id" : "2278193",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2278193"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: esp: fix bad handling of pages from page_pool\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\nBUG: Bad page state in process ksoftirqd/16  pfn:1451b6\npage:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\nflags: 0x200000000000000(node=0|zone=2)\npage_type: 0xffffffff()\nraw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\nraw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\npage dumped because: page_pool leak\nModules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\nCPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x36/0x50\nbad_page+0x70/0xf0\nfree_unref_page_prepare+0x27a/0x460\nfree_unref_page+0x38/0x120\nesp_ssg_unref.isra.0+0x15f/0x200\nesp_output_tail+0x66d/0x780\nesp_xmit+0x2c5/0x360\nvalidate_xmit_xfrm+0x313/0x370\n? validate_xmit_skb+0x1d/0x330\nvalidate_xmit_skb_list+0x4c/0x70\nsch_direct_xmit+0x23e/0x350\n__dev_queue_xmit+0x337/0xba0\n? nf_hook_slow+0x3f/0xd0\nip_finish_output2+0x25e/0x580\niptunnel_xmit+0x19b/0x240\nip_tunnel_xmit+0x5fb/0xb60\nipgre_xmit+0x14d/0x280 [ip_gre]\ndev_hard_start_xmit+0xc3/0x1c0\n__dev_queue_xmit+0x208/0xba0\n? nf_hook_slow+0x3f/0xd0\nip_finish_output2+0x1ca/0x580\nip_sublist_rcv_finish+0x32/0x40\nip_sublist_rcv+0x1b2/0x1f0\n? ip_rcv_finish_core.constprop.0+0x460/0x460\nip_list_rcv+0x103/0x130\n__netif_receive_skb_list_core+0x181/0x1e0\nnetif_receive_skb_list_internal+0x1b3/0x2c0\nnapi_gro_receive+0xc8/0x200\ngro_cell_poll+0x52/0x90\n__napi_poll+0x25/0x1a0\nnet_rx_action+0x28e/0x300\n__do_softirq+0xc3/0x276\n? sort_range+0x20/0x20\nrun_ksoftirqd+0x1e/0x30\nsmpboot_thread_fn+0xa6/0x130\nkthread+0xcd/0x100\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x31/0x50\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork_asm+0x11/0x20\n</TASK>\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26953\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26953\nhttps://lore.kernel.org/linux-cve-announce/2024050128-CVE-2024-26953-8304@gregkh/T" ],
  "name" : "CVE-2024-26953",
  "csaw" : false
}