| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-35841: net: tls, fix WARNIING in __sk_msg_free |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| net: tls, fix WARNIING in __sk_msg_free |
| |
| A splice with MSG_SPLICE_PAGES will cause tls code to use the |
| tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user |
| provided pages from the msg into the msg_pl. This will loop over the |
| msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user |
| can also set the MORE flag to hint stack to delay sending until receiving |
| more pages and ideally a full buffer. |
| |
| If the user adds more pages to the msg than can fit in the msg_pl |
| scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send |
| the buffer anyways. |
| |
| What actually happens though is we abort the msg to msg_pl scatterlist |
| setup and then because we forget to set 'full record' indicating we |
| can no longer consume data without a send we fallthrough to the 'continue' |
| path which will check if msg_data_left(msg) has more bytes to send and |
| then attempts to fit them in the already full msg_pl. Then next |
| iteration of sender doing send will encounter a full msg_pl and throw |
| the warning in the syzbot report. |
| |
| To fix simply check if we have a full_record in splice code path and |
| if not send the msg regardless of MORE flag. |
| |
| The Linux kernel CVE team has assigned CVE-2024-35841 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.5 with commit fe1e81d4f73b6cbaed4fcc476960d26770642842 and fixed in 6.6.14 with commit 02e368eb1444a4af649b73cbe2edd51780511d86 |
| Issue introduced in 6.5 with commit fe1e81d4f73b6cbaed4fcc476960d26770642842 and fixed in 6.7.2 with commit 294e7ea85f34748f04e5f3f9dba6f6b911d31aa8 |
| Issue introduced in 6.5 with commit fe1e81d4f73b6cbaed4fcc476960d26770642842 and fixed in 6.8 with commit dc9dfc8dc629e42f2234e3327b75324ffc752bc9 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-35841 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/tls/tls_sw.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86 |
| https://git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8 |
| https://git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9 |
