CVE-2024-49978
Linux Kernel UDP GSO Fraglist Segmentation Denial of Service
Description
In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from frag_list Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.
INFO
Published Date :
Oct. 21, 2024, 6:15 p.m.
Last Modified :
Oct. 29, 2024, 6:01 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-49978.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-49978 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-49978 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Oct. 29, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Changed Reference Type https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc No Types Assigned https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc Patch Changed Reference Type https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df No Types Assigned https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df Patch Changed Reference Type https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea No Types Assigned https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea Patch Changed Reference Type https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab No Types Assigned https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab Patch Changed Reference Type https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa No Types Assigned https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa Patch Added CWE NIST CWE-476 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.6 up to (excluding) 6.1.113 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.55 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.14 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11 up to (excluding) 6.11.3 *cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Oct. 21, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: gso: fix udp gso fraglist segmentation after pull from frag_list Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Added Reference kernel.org https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-49978 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-49978
weaknesses.