Informazioni sul CVE-2024-41048
skmsg: Skip zero length skb in sk_msg_recvmsg
CWE ID: N/A
Base Score (CVSS): N/A
CVE: CVE-2024-41048
Descrizione: In the Linux kernel, a vulnerability has been resolved concerning the `skmsg: Skip zero-length skb in sk_msg_recvmsg`. When running BPF selftest (`./test_progs -t sockmap_basic`) on a Loongarch platform, the following kernel panic occurs: … Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECG: 00000007 (ECode=1 EsubCode=0) EST: 00000007 (EsubCode=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PID: 0014c011 CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 … … ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECG: 00000007 (ECode=1 EsubCode=0) EST: 00000007 (EsubCode=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 … root cause: A NULL pointer is passed to page_address() in the `sk_msg_recvmsg()` function. Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero-length skb (skb->len == 0) was put on the queue. To solve this, we should skip this zero-length skb. Therefore, in `sk_msg_recvmsg()`, we should skip invoking `copy_page_to_iter()`. We are using the EFAULT return triggered by `copy_page_to_iter` to check for is_fin in tcp_bpf.c.`
Vettore di attacco
Punteggio CVSS
Il CVSS è un sistema di valutazione che misura la gravità di una vulnerabilità informatica considerando fattori come l’impatto potenziale, la probabilità di attacco e la facilità di esecuzione.
Riassunto: .
Dettaglio del Vettore
| Metrica | Valore | Significato | Descrizione |
|---|
Riferimenti esterni
- https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632
- https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d
- https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc
- https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97
- https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b
Prodotti interessati
- Linux – Linux
- Linux – Linux