{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: net: avoid potential underflow in qdisc_pkt_len_init() with UFO", "id" : "2320505", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320505" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\nIPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb->len\nThen the following sets gso_segs to 0 :\ngso_segs = DIV_ROUND_UP(skb->len - hdr_len,\nshinfo->gso_size);\nThen later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/\nqdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;\nThis leads to the following crash in fq_codel [1]\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n[1]\n[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 70.724561] #PF: supervisor read access in kernel mode\n[ 70.724561] #PF: error_code(0x0000) - not-present page\n[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n0:24 08 and $0x8,%al\n2:49 c1 e1 06 shl $0x6,%r9\n6:44 89 7c 24 18 mov %r15d,0x18(%rsp)\nb:45 31 ed xor %r13d,%r13d\ne:45 31 c0 xor %r8d,%r8d\n11:31 ff xor %edi,%edi\n13:89 44 24 14 mov %eax,0x14(%rsp)\n17:4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9\n1e:eb 04 jmp 0x24\n20:39 ca cmp %ecx,%edx\n22:73 37 jae 0x5b\n24:4d 8b 39 mov (%r9),%r15\n27:83 c7 01 add $0x1,%edi\n2a:*49 8b 17 mov (%r15),%rdx<-- trapping instruction\n2d:49 89 11 mov %rdx,(%r9)\n30:41 8b 57 28 mov 0x28(%r15),%edx\n34:45 8b 5f 34 mov 0x34(%r15),%r11d\n38:49 c7 07 00 00 00 00 movq $0x0,(%r15)\n3f:49 rex.WB\nCode starting with the faulting instruction\n===========================================\n0:49 8b 17 mov (%r15),%rdx\n3:49 89 11 mov %rdx,(%r9)\n6:41 8b 57 28 mov 0x28(%r15),%edx\na:45 8b 5f 34 mov 0x34(%r15),%r11d\ne:49 c7 07 00 00 00 00 movq $0x0,(%r15)\n15:49 rex.WB\n[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C\n---truncated---" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10944", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.32.1.rt7.373.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10943", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.32.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10939", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.16.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-12-11T00:00:00Z", "advisory" : "RHSA-2024:10939", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.16.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-03-05T00:00:00Z", "advisory" : "RHSA-2025:2270", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.57.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-49949\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49949\nhttps://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-49949-c792@gregkh/T" ], "name" : "CVE-2024-49949", "csaw" : false }