CVE-2024-49949: net: avoid potential underflow in qdisc_pkt_len_init() with UFO
First published: Mon Oct 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=4.14.256<4.19 | |
| Linux Kernel | >=4.19.218<5.4 | |
| Linux Kernel | >=5.4.162<5.10 | |
| Linux Kernel | >=5.10.82<5.10.227 | |
| Linux Kernel | >=5.15.5<5.15.168 | |
| Linux Kernel | >=5.16<6.1.113 | |
| Linux Kernel | >=6.2<6.6.55 | |
| Linux Kernel | >=6.7<6.10.14 | |
| Linux Kernel | >=6.11<6.11.3 | |
| Linux Kernel | =6.12-rc1 | |
| debian/linux | <=5.10.223-1<=5.10.226-1 | 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 |
| debian/linux-6.1 | 6.1.119-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d
- https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1
- https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b
- https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c
- https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c
- https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1
- https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174
- https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72
- https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac
- https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-49949-c792@gregkh/T
- https://access.redhat.com/errata/RHSA-2024:10944
- https://access.redhat.com/errata/RHSA-2024:10939
- https://access.redhat.com/errata/RHSA-2024:10943
- https://bugzilla.redhat.com/show_bug.cgi?id=2320505
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49949
- https://nvd.nist.gov/vuln/detail/CVE-2024-49949
- https://launchpad.net/bugs/cve/CVE-2024-49949
- https://security-tracker.debian.org/tracker/CVE-2024-49949
- https://ubuntu.com/security/CVE-2024-49949
- https://git.kernel.org/linus/c20029db28399ecc50e556964eaba75c43b1e2f1
Frequently Asked Questions
What is the severity of CVE-2024-49949?
CVE-2024-49949 has a moderate severity rating due to its potential impact on Linux kernel network operations.
How do I fix CVE-2024-49949?
To fix CVE-2024-49949, upgrade to a patched version of the Linux kernel that addresses this vulnerability.
Which versions of the Linux kernel are affected by CVE-2024-49949?
CVE-2024-49949 affects Linux kernel versions from 4.14.256 up to 6.11.3, including specific ranges in 5.x.
What systems are at risk from CVE-2024-49949?
Systems running vulnerable versions of the Linux kernel that rely on network traffic processing are at risk from CVE-2024-49949.
Is there a workaround for CVE-2024-49949?
There are no known workarounds for CVE-2024-49949; applying the recommended kernel updates is the best course of action.
- agent/title
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-49949
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/launchpad-cve
- source/Launchpad
- agent/source
- agent/softwarecombine
- agent/description
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.14.256
- version/linux kernel/4.19.218
- version/linux kernel/5.4.162
- version/linux kernel/5.10.82
- version/linux kernel/5.15.5
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.11
- version/linux kernel/6.12-rc1
- package-manager/debian