CVE-2024-36905

EPSS 0.06%
Veröffentlicht 30.05.2024 16:15:14
Zuletzt bearbeitet 14.01.2025 17:15:17
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
Teams Watchlist Login
Unerledigt Login

In the Linux kernel, the following vulnerability has been resolved:

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

TCP_SYN_RECV state is really special, it is only used by
cross-syn connections, mostly used by fuzzers.

In the following crash [1], syzbot managed to trigger a divide
by zero in tcp_rcv_space_adjust()

A socket makes the following state transitions,
without ever calling tcp_init_transfer(),
meaning tcp_init_buffer_space() is also not called.

         TCP_CLOSE
connect()
         TCP_SYN_SENT
         TCP_SYN_RECV
shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
         TCP_FIN_WAIT1

To fix this issue, change tcp_shutdown() to not
perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
which makes no sense anyway.

When tcp_rcv_state_process() later changes socket state
from TCP_SYN_RECV to TCP_ESTABLISH, then look at
sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
and send a FIN packet from a sane socket state.

This means tcp_send_fin() can now be called from BH
context, and must use GFP_ATOMIC allocations.

[1]
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
 RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
FS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
  sock_recvmsg_nosec net/socket.c:1046 [inline]
  sock_recvmsg+0x109/0x280 net/socket.c:1068
  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
  ___sys_recvmsg net/socket.c:2845 [inline]
  do_recvmmsg+0x474/0xae0 net/socket.c:2939
  __sys_recvmmsg net/socket.c:3018 [inline]
  __do_sys_recvmmsg net/socket.c:3041 [inline]
  __se_sys_recvmmsg net/socket.c:3034 [inline]
  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faeb6363db9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 24

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 34e41a031fd7

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < ed5e279b69e0

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 413c33b9f3bc

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusaffected

Version < 2552c9d9440f

Version 1da177e4c3f

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 3fe4ef0568a4

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < f47d0d32fa94

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < cbf232ba11bc

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 94062790aedb

Version 1da177e4c3f4

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 4.20

Version 4.19.314

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 5.11

Version 5.10.217

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 5.16

Version 5.15.159

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 6.2

Version 6.1.91

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 6.7

Version 6.6.31

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version 6.9

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 2.6.12

Version 0

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version 2.6.12

Status affected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 5.5

Version 5.4.276

Status unaffected

Herstellerlinux

≫

Produkt linux_kernel

Default Statusunknown

Version < 6.9

Version 6.8.10

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.192

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html

https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4

https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270

https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1

https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485

https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f

https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf

https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214

https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4

https://www.openwall.com/lists/oss-security/2024/10/29/1

http://www.openwall.com/lists/oss-security/2024/10/29/1

http://www.openwall.com/lists/oss-security/2024/10/30/1

http://www.openwall.com/lists/oss-security/2024/11/12/4

http://www.openwall.com/lists/oss-security/2024/11/12/5

http://www.openwall.com/lists/oss-security/2024/11/12/6

https://security.netapp.com/advisory/ntap-20240905-0005/

https://access.redhat.com/security/cve/cve-2024-36905

https://alas.aws.amazon.com/cve/html/CVE-2024-36905.html

https://github.com/cisagov/vulnrichment/issues/130

https://www.openwall.com/lists/oss-security/2024/11/12/4

https://nvd.nist.gov/vuln/detail/CVE-2024-36905

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-36905

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-36905

EUVD