CVE-2024-35890

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-35890
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35890.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35890
Downstream
Related
Published
2024-05-19T08:34:46.085Z
Modified
2026-03-14T12:34:04.226376Z
Summary
gro: fix ownership transfer
Details

In the Linux kernel, the following vulnerability has been resolved:

gro: fix ownership transfer

If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skbsegmentlist those skbs can be reused as-is. This is an issue as their destructor was removed in skbgroreceive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket.

For example this could be observed,

kernel BUG at include/linux/skbuff.h:3131! (skborphan) RIP: 0010:ip6rcvcore+0x11bc/0x19a0 Call Trace: ipv6list_rcv+0x250/0x3f0 __netifreceiveskblistcore+0x49d/0x8f0 netifreceiveskblistinternal+0x634/0xd40 napicompletedone+0x1d2/0x7d0 grocellpoll+0x118/0x1f0

A similar construction is found in skbgroreceive, apply the same change there.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35890.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5e10da5385d20c4bae587bc2921e5fdd9655d5fc
Fixed
d225b0ac96dc40d7e8ae2bc227eb2c56e130975f
Fixed
2eeab8c47c3c0276e0746bc382f405c9a236a5ad
Fixed
fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6
Fixed
5b3b67f731296027cceb3efad881ae281213f86f
Fixed
ed4cccef64c1d0d5b91e69f7a8a6697c3a865486

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35890.json"