cve/published/2024/CVE-2024-41007.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41007: tcp: avoid too many retransmit packets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tcp: avoid too many retransmit packets

 If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
 retracted its window to zero, tcp_retransmit_timer() can
 retransmit a packet every two jiffies (2 ms for HZ=1000),
 for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.

 The fix is to make sure tcp_rtx_probe0_timed_out() takes
 icsk->icsk_user_timeout into account.

 Before blamed commit, the socket would not timeout after
 icsk->icsk_user_timeout, but would use standard exponential
 backoff for the retransmits.

 Also worth noting that before commit e89688e3e978 ("net: tcp:
 fix unexcepted socket die when snd_wnd is 0"), the issue
 would last 2 minutes instead of 4.

 The Linux kernel CVE team has assigned CVE-2024-41007 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 4.19.318 with commit 7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.4.280 with commit d2346fca5bed130dc712f276ac63450201d52969
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.10.222 with commit 5d7e64d70a11d988553a08239c810a658e841982
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.15.163 with commit 04317a2471c2f637b4c49cbd0e9c0d04a519f570
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.1.100 with commit e113cddefa27bbf5a79f72387b8fbd432a61a466
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.6.41 with commit dfcdd7f89e401d2c6616be90c76c2fac3fa98fde
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.9.10 with commit 66cb64a1d2239cd0309f9b5038b05462570a5be1
 	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.10 with commit 97a9063518f198ec0adb2ecb89789de342bb8283

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41007
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_timer.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4
 	https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969
 	https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982
 	https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570
 	https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466
 	https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde
 	https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1
 	https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41007: tcp: avoid too many retransmit packets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tcp: avoid too many retransmit packets

	If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
	retracted its window to zero, tcp_retransmit_timer() can
	retransmit a packet every two jiffies (2 ms for HZ=1000),
	for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.

	The fix is to make sure tcp_rtx_probe0_timed_out() takes
	icsk->icsk_user_timeout into account.

	Before blamed commit, the socket would not timeout after
	icsk->icsk_user_timeout, but would use standard exponential
	backoff for the retransmits.

	Also worth noting that before commit e89688e3e978 ("net: tcp:
	fix unexcepted socket die when snd_wnd is 0"), the issue
	would last 2 minutes instead of 4.

	The Linux kernel CVE team has assigned CVE-2024-41007 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 4.19.318 with commit 7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.4.280 with commit d2346fca5bed130dc712f276ac63450201d52969
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.10.222 with commit 5d7e64d70a11d988553a08239c810a658e841982
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 5.15.163 with commit 04317a2471c2f637b4c49cbd0e9c0d04a519f570
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.1.100 with commit e113cddefa27bbf5a79f72387b8fbd432a61a466
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.6.41 with commit dfcdd7f89e401d2c6616be90c76c2fac3fa98fde
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.9.10 with commit 66cb64a1d2239cd0309f9b5038b05462570a5be1
	Issue introduced in 4.19 with commit b701a99e431db784714c32fc6b68123045714679 and fixed in 6.10 with commit 97a9063518f198ec0adb2ecb89789de342bb8283

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41007
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_timer.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4
	https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969
	https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982
	https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570
	https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466
	https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde
	https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1
	https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283