{
  "threat_severity" : "Moderate",
  "public_date" : "2024-09-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tcp_bpf: fix return value of tcp_bpf_sendmsg()",
    "id" : "2313131",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2313131"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntcp_bpf: fix return value of tcp_bpf_sendmsg()\nWhen we cork messages in psock->cork, the last message triggers the\nflushing will result in sending a sk_msg larger than the current\nmessage size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes\nnegative at least in the following case:\n468         case __SK_DROP:\n469         default:\n470                 sk_msg_free_partial(sk, msg, tosend);\n471                 sk_msg_apply_bytes(psock, tosend);\n472                 *copied -= (tosend + delta); // <==== HERE\n473                 return -EACCES;\nTherefore, it could lead to the following BUG with a proper value of\n'copied' (thanks to syzbot). We should not use negative 'copied' as a\nreturn value here.\n------------[ cut here ]------------\nkernel BUG at net/socket.c:733!\nInternal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0\nHardware name: linux,dummy-virt (DT)\npstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\npc : sock_sendmsg_nosec net/socket.c:733 [inline]\npc : sock_sendmsg_nosec net/socket.c:728 [inline]\npc : __sock_sendmsg+0x5c/0x60 net/socket.c:745\nlr : sock_sendmsg_nosec net/socket.c:730 [inline]\nlr : __sock_sendmsg+0x54/0x60 net/socket.c:745\nsp : ffff800088ea3b30\nx29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000\nx26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000\nx23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90\nx20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001\nx17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0\nx8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000\nx5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef\nCall trace:\nsock_sendmsg_nosec net/socket.c:733 [inline]\n__sock_sendmsg+0x5c/0x60 net/socket.c:745\n____sys_sendmsg+0x274/0x2ac net/socket.c:2597\n___sys_sendmsg+0xac/0x100 net/socket.c:2651\n__sys_sendmsg+0x84/0xe0 net/socket.c:2680\n__do_sys_sendmsg net/socket.c:2689 [inline]\n__se_sys_sendmsg net/socket.c:2687 [inline]\n__arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687\n__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\ninvoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49\nel0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132\ndo_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151\nel0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712\nel0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730\nel0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598\nCode: f9404463 d63f0060 3108441f 54fffe81 (d4210000)\n---[ end trace 0000000000000000 ]---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-46783\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46783\nhttps://lore.kernel.org/linux-cve-announce/2024091850-CVE-2024-46783-edcb@gregkh/T" ],
  "name" : "CVE-2024-46783",
  "csaw" : false
}