Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-35841.json
blob: 2650b2c2adc5b32197839e092afe96a374caf43d [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls, fix WARNIING in __sk_msg_free\n\nA splice with MSG_SPLICE_PAGES will cause tls code to use the\ntls_sw_sendmsg_splice path in the TLS sendmsg code to move the user\nprovided pages from the msg into the msg_pl. This will loop over the\nmsg until msg_pl is full, checked by sk_msg_full(msg_pl). The user\ncan also set the MORE flag to hint stack to delay sending until receiving\nmore pages and ideally a full buffer.\n\nIf the user adds more pages to the msg than can fit in the msg_pl\nscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send\nthe buffer anyways.\n\nWhat actually happens though is we abort the msg to msg_pl scatterlist\nsetup and then because we forget to set 'full record' indicating we\ncan no longer consume data without a send we fallthrough to the 'continue'\npath which will check if msg_data_left(msg) has more bytes to send and\nthen attempts to fit them in the already full msg_pl. Then next\niteration of sender doing send will encounter a full msg_pl and throw\nthe warning in the syzbot report.\n\nTo fix simply check if we have a full_record in splice code path and\nif not send the msg regardless of MORE flag."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/tls/tls_sw.c"
],
"versions": [
{
"version": "fe1e81d4f73b6cbaed4fcc476960d26770642842",
"lessThan": "02e368eb1444a4af649b73cbe2edd51780511d86",
"status": "affected",
"versionType": "git"
},
{
"version": "fe1e81d4f73b6cbaed4fcc476960d26770642842",
"lessThan": "294e7ea85f34748f04e5f3f9dba6f6b911d31aa8",
"status": "affected",
"versionType": "git"
},
{
"version": "fe1e81d4f73b6cbaed4fcc476960d26770642842",
"lessThan": "dc9dfc8dc629e42f2234e3327b75324ffc752bc9",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/tls/tls_sw.c"
],
"versions": [
{
"version": "6.5",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.5",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.14",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.7.2",
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.8",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5",
"versionEndExcluding": "6.6.14"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5",
"versionEndExcluding": "6.7.2"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5",
"versionEndExcluding": "6.8"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86"
},
{
"url": "https://git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8"
},
{
"url": "https://git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9"
}
],
"title": "net: tls, fix WARNIING in __sk_msg_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-35841",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}