In the Linux kernel, the following vulnerability has been resolved:
gro: fix ownership transfer
If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can't be orphaned. Fix this by also removing the reference to the
socket.
For example this could be observed,
kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0
A similar construction is found in skb_gro_receive, apply the same
change there.
Metrics
Affected Vendors & Products
References
History
Thu, 19 Dec 2024 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat rhel Aus
Redhat rhel Tus |
|
CPEs | cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_tus:8.6 |
|
Vendors & Products |
Redhat rhel Aus
Redhat rhel Tus |
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-05-19T08:34:46.085Z
Updated: 2024-12-19T08:57:38.749Z
Reserved: 2024-05-17T13:50:33.113Z
Link: CVE-2024-35890
Vulnrichment
Updated: 2024-08-02T03:21:48.729Z
NVD
Status : Awaiting Analysis
Published: 2024-05-19T09:15:10.077
Modified: 2024-11-21T09:21:08.290
Link: CVE-2024-35890
Redhat