{
  "threat_severity" : "Moderate",
  "public_date" : "2024-06-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tcp: Fix shift-out-of-bounds in dctcp_update_alpha().",
    "id" : "2293658",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293658"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\nalpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);\n...\ndelivered_ce <<= (10 - dctcp_shift_g);\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\nmemcpy((void*)0x20000080,\n\"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\nres = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n/*flags=*/2ul, /*mode=*/0ul);\nmemcpy((void*)0x20000000, \"100\\000\", 4);\nsyscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\nLet's limit the max value of dctcp_shift_g by param_set_uint_minmax().\nWith this patch:\n# echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n# cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n10\n# echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n-bash: echo: write error: Invalid argument\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\nubsan_epilogue lib/ubsan.c:231 [inline]\n__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\ndctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\ntcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\ntcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\ntcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\ntcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\nsk_backlog_rcv include/net/sock.h:1106 [inline]\n__release_sock+0x20f/0x350 net/core/sock.c:2983\nrelease_sock+0x61/0x1f0 net/core/sock.c:3549\nmptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\nmptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n__mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\nmptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\ninet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n__sock_release net/socket.c:659 [inline]\nsock_close+0xc0/0x240 net/socket.c:1421\n__fput+0x41b/0x890 fs/file_table.c:422\ntask_work_run+0x23b/0x300 kernel/task_work.c:180\nexit_task_work include/linux/task_work.h:38 [inline]\ndo_exit+0x9c8/0x2540 kernel/exit.c:878\ndo_group_exit+0x201/0x2b0 kernel/exit.c:1027\n__do_sys_exit_group kernel/exit.c:1038 [inline]\n__se_sys_exit_group kernel/exit.c:1036 [inline]\n__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n</TASK>", "A security vulnerability has been identified in the TCP networking implementation of the Linux kernel. Specifically, the dctcp_update_alpha() function is susceptible to a shift-out-of-bounds condition. This flaw could potentially be exploited to cause unexpected behavior or a denial-of-service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-09-03T00:00:00Z",
    "advisory" : "RHSA-2024:6206",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.70.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-15T00:00:00Z",
    "advisory" : "RHSA-2024:5363",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.31.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-15T00:00:00Z",
    "advisory" : "RHSA-2024:5363",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.31.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-12-04T00:00:00Z",
    "advisory" : "RHSA-2024:10772",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.95.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-12-04T00:00:00Z",
    "advisory" : "RHSA-2024:10773",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.95.1.rt14.380.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-37356\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-37356\nhttps://lore.kernel.org/linux-cve-announce/2024062137-CVE-2024-37356-cc7b@gregkh/T" ],
  "name" : "CVE-2024-37356",
  "csaw" : false
}