CVE-2024-35841

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35841
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35841.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35841
Related
Published
2024-05-17T15:15:21Z
Modified
2024-09-18T03:26:18.358871Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tls, fix WARNIING in _skmsg_free

A splice with MSGSPLICEPAGES will cause tls code to use the tlsswsendmsgsplice path in the TLS sendmsg code to move the user provided pages from the msg into the msgpl. This will loop over the msg until msgpl is full, checked by skmsgfull(msgpl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer.

If the user adds more pages to the msg than can fit in the msgpl scatterlist (MAXMSG_FRAGS) we should ignore the MORE flag and send the buffer anyways.

What actually happens though is we abort the msg to msgpl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msgdataleft(msg) has more bytes to send and then attempts to fit them in the already full msgpl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report.

To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.7-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}