In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used by cross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divide by zero in tcp_rcv_space_adjust() A socket makes the following state transitions, without ever calling tcp_init_transfer(), meaning tcp_init_buffer_space() is also not called. TCP_CLOSE connect() TCP_SYN_SENT TCP_SYN_RECV shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN) TCP_FIN_WAIT1 To fix this issue, change tcp_shutdown() to not perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition, which makes no sense anyway. When tcp_rcv_state_process() later changes socket state from TCP_SYN_RECV to TCP_ESTABLISH, then look at sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state, and send a FIN packet from a sane socket state. This means tcp_send_fin() can now be called from BH context, and must use GFP_ATOMIC allocations. [1] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767 Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48 RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246 RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7 R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30 R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513 tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578 inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x474/0xae0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7faeb6363db9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9 RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
References
Link Providers
http://www.openwall.com/lists/oss-security/2024/10/29/1 cve-icon
http://www.openwall.com/lists/oss-security/2024/10/30/1 cve-icon
http://www.openwall.com/lists/oss-security/2024/11/12/4 cve-icon
http://www.openwall.com/lists/oss-security/2024/11/12/5 cve-icon
http://www.openwall.com/lists/oss-security/2024/11/12/6 cve-icon
https://access.redhat.com/security/cve/cve-2024-36905 cve-icon cve-icon
https://alas.aws.amazon.com/cve/html/CVE-2024-36905.html cve-icon cve-icon
https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4 cve-icon cve-icon
https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270 cve-icon cve-icon
https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1 cve-icon cve-icon
https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485 cve-icon cve-icon
https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f cve-icon cve-icon
https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf cve-icon cve-icon
https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214 cve-icon cve-icon
https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4 cve-icon cve-icon
https://github.com/cisagov/vulnrichment/issues/130 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html cve-icon
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html cve-icon
https://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36905-5884@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-36905 cve-icon
https://security.netapp.com/advisory/ntap-20240905-0005/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-36905 cve-icon
https://www.openwall.com/lists/oss-security/2024/10/29/1 cve-icon cve-icon
https://www.openwall.com/lists/oss-security/2024/11/12/4 cve-icon cve-icon
History

Fri, 22 Nov 2024 12:00:00 +0000


Tue, 19 Nov 2024 20:00:00 +0000

Type Values Removed Values Added
References

Tue, 19 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:9

Tue, 05 Nov 2024 10:45:00 +0000


Tue, 29 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 05 Sep 2024 08:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Aug 2024 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8::nfv
cpe:/o:redhat:enterprise_linux:8
Vendors & Products Redhat
Redhat enterprise Linux

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-30T15:29:06.046Z

Updated: 2024-12-19T09:01:46.950Z

Reserved: 2024-05-30T15:25:07.067Z

Link: CVE-2024-36905

cve-icon Vulnrichment

Updated: 2024-11-12T19:02:41.493Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-30T16:15:14.030

Modified: 2024-11-21T09:22:46.913

Link: CVE-2024-36905

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-05-30T00:00:00Z

Links: CVE-2024-36905 - Bugzilla