CVE-2024-49979
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-49979
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49979.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-49979
- Downstream
- Related
- Published
- 2024-10-21T18:02:25.819Z
- Modified
- 2025-11-20T06:32:04.601077Z
- Summary
- net: gso: fix tcp fraglist segmentation after pull from frag_list
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix tcp fraglist segmentation after pull from frag_list
Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skbsegment instead of skbsegment_list, as the first can segment them correctly.
Valid SKBGSOFRAGLIST skbs - consist of two or more segments - the headskb holds the protocol headers plus first gsosize - one or more fraglist skbs hold exactly one segment - all but the last must be gsosize
Optional datapath hooks such as NAT and BPF (bpfskbpull_data) can modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in _tcpv4gsosegmentlistcsum at tcphdr(seg->next).
Detect invalid geometry due to pull, by checking headskb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skbsegment.
Approach and description based on a patch by Willem de Bruijn.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbee88cd5bd83d40b8aec4d6cb729378f707f6197Fixed3fdd8c83e83fa5e82f1b5585245c51e0355c9f46
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbee88cd5bd83d40b8aec4d6cb729378f707f6197Fixed2d4a83a44428de45bfe9dccb0192a3711d1097e0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbee88cd5bd83d40b8aec4d6cb729378f707f6197Fixed17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.9
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"56387134809962608341494010905859999562",
"227103517599621073544104981159870196350",
"87263406355633740603457103025065243381",
"200653149844315740259174967157819596276",
"250889090244361684796187743949254983295"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d4a83a44428de45bfe9dccb0192a3711d1097e0",
"target": {
"file": "net/ipv6/tcpv6_offload.c"
},
"id": "CVE-2024-49979-122258ce"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"212290896144711036329098654200154777314",
"186530196652517783846253127969123995117",
"65422015830399982319461704833716288904",
"95673438848089595686462915441403890505",
"208526324895084836083301095907164036249"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d4a83a44428de45bfe9dccb0192a3711d1097e0",
"target": {
"file": "net/ipv4/tcp_offload.c"
},
"id": "CVE-2024-49979-6f17203f"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 606.0,
"function_hash": "220537836834447767687717296563233807669"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdd8c83e83fa5e82f1b5585245c51e0355c9f46",
"target": {
"file": "net/ipv4/tcp_offload.c",
"function": "tcp4_gso_segment"
},
"id": "CVE-2024-49979-7eeeb602"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"212290896144711036329098654200154777314",
"186530196652517783846253127969123995117",
"65422015830399982319461704833716288904",
"95673438848089595686462915441403890505",
"208526324895084836083301095907164036249"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdd8c83e83fa5e82f1b5585245c51e0355c9f46",
"target": {
"file": "net/ipv4/tcp_offload.c"
},
"id": "CVE-2024-49979-ace02a5a"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 624.0,
"function_hash": "205894184038906144734909421365586707403"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d4a83a44428de45bfe9dccb0192a3711d1097e0",
"target": {
"file": "net/ipv6/tcpv6_offload.c",
"function": "tcp6_gso_segment"
},
"id": "CVE-2024-49979-c322cc2f"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 606.0,
"function_hash": "220537836834447767687717296563233807669"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8",
"target": {
"file": "net/ipv4/tcp_offload.c",
"function": "tcp4_gso_segment"
},
"id": "CVE-2024-49979-cf265f0d"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"212290896144711036329098654200154777314",
"186530196652517783846253127969123995117",
"65422015830399982319461704833716288904",
"95673438848089595686462915441403890505",
"208526324895084836083301095907164036249"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8",
"target": {
"file": "net/ipv4/tcp_offload.c"
},
"id": "CVE-2024-49979-d8ae3d19"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 624.0,
"function_hash": "205894184038906144734909421365586707403"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8",
"target": {
"file": "net/ipv6/tcpv6_offload.c",
"function": "tcp6_gso_segment"
},
"id": "CVE-2024-49979-da4fddbf"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"56387134809962608341494010905859999562",
"227103517599621073544104981159870196350",
"87263406355633740603457103025065243381",
"200653149844315740259174967157819596276",
"250889090244361684796187743949254983295"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdd8c83e83fa5e82f1b5585245c51e0355c9f46",
"target": {
"file": "net/ipv6/tcpv6_offload.c"
},
"id": "CVE-2024-49979-de5bdd3c"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 606.0,
"function_hash": "220537836834447767687717296563233807669"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d4a83a44428de45bfe9dccb0192a3711d1097e0",
"target": {
"file": "net/ipv4/tcp_offload.c",
"function": "tcp4_gso_segment"
},
"id": "CVE-2024-49979-e1f320b1"
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 624.0,
"function_hash": "205894184038906144734909421365586707403"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdd8c83e83fa5e82f1b5585245c51e0355c9f46",
"target": {
"file": "net/ipv6/tcpv6_offload.c",
"function": "tcp6_gso_segment"
},
"id": "CVE-2024-49979-e7fe850c"
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"line_hashes": [
"56387134809962608341494010905859999562",
"227103517599621073544104981159870196350",
"87263406355633740603457103025065243381",
"200653149844315740259174967157819596276",
"250889090244361684796187743949254983295"
],
"threshold": 0.9
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8",
"target": {
"file": "net/ipv6/tcpv6_offload.c"
},
"id": "CVE-2024-49979-e928ef34"
}
]