CVE-2024-26826
Vulnerability from cvelistv5
Published
2024-04-17 09:43
Modified
2024-12-19 08:48
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packet scheduler must re-inject all the mptcp-level unacked data. To avoid acquiring unneeded locks, it first try to check if any unacked data is present at all in the RTX queue, but such check is currently broken, as it uses TCP-specific helper on an MPTCP socket. Funnily enough fuzzers and static checkers are happy, as the accessed memory still belongs to the mptcp_sock struct, and even from a functional perspective the recovery completed successfully, as the short-cut test always failed. A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize tcp_sock fast path variables") - exposed the issue, as the tcp field reorganization makes the mptcp code always skip the re-inection. Fix the issue dropping the bogus call: we are on a slow path, the early optimization proved once again to be evil.
Impacted products
Vendor Product Version
Linux Linux Version: 5.15
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.531Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26826",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:49:00.883183Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:30.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f95120f898b40d13fd441225ef511307853c9c2",
              "status": "affected",
              "version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
              "versionType": "git"
            },
            {
              "lessThan": "6673d9f1c2cd984390550dbdf7d5ae07b20abbf8",
              "status": "affected",
              "version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
              "versionType": "git"
            },
            {
              "lessThan": "b609c783c535493aa3fca22c7e40a120370b1ca5",
              "status": "affected",
              "version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
              "versionType": "git"
            },
            {
              "lessThan": "624902eab7abcb8731b333ec73f206d38d839cd8",
              "status": "affected",
              "version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
              "versionType": "git"
            },
            {
              "lessThan": "b6c620dc43ccb4e802894e54b651cf81495e9598",
              "status": "affected",
              "version": "1e1d9d6f119c55c05e8ea78ed3e49046690abffd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:48:12.113Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5"
        },
        {
          "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598"
        }
      ],
      "title": "mptcp: fix data re-injection from stale subflow",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26826",
    "datePublished": "2024-04-17T09:43:51.741Z",
    "dateReserved": "2024-02-19T14:20:24.181Z",
    "dateUpdated": "2024-12-19T08:48:12.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26826\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T10:15:09.183\",\"lastModified\":\"2024-11-21T09:03:09.463\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: fix data re-injection from stale subflow\\n\\nWhen the MPTCP PM detects that a subflow is stale, all the packet\\nscheduler must re-inject all the mptcp-level unacked data. To avoid\\nacquiring unneeded locks, it first try to check if any unacked data\\nis present at all in the RTX queue, but such check is currently\\nbroken, as it uses TCP-specific helper on an MPTCP socket.\\n\\nFunnily enough fuzzers and static checkers are happy, as the accessed\\nmemory still belongs to the mptcp_sock struct, and even from a\\nfunctional perspective the recovery completed successfully, as\\nthe short-cut test always failed.\\n\\nA recent unrelated TCP change - commit d5fed5addb2b (\\\"tcp: reorganize\\ntcp_sock fast path variables\\\") - exposed the issue, as the tcp field\\nreorganization makes the mptcp code always skip the re-inection.\\n\\nFix the issue dropping the bogus call: we are on a slow path, the early\\noptimization proved once again to be evil.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige la reinyecci\u00f3n de datos desde un subflujo obsoleto Cuando MPTCP PM detecta que un subflujo est\u00e1 obsoleto, todo el programador de paquetes debe reinyectar todos los datos no codificados del nivel mptcp. Para evitar adquirir bloqueos innecesarios, primero intenta verificar si hay datos no bloqueados presentes en la cola RTX, pero dicha verificaci\u00f3n actualmente no funciona, ya que utiliza un asistente espec\u00edfico de TCP en un socket MPTCP. Curiosamente, los fuzzers y los comprobadores est\u00e1ticos est\u00e1n contentos, ya que la memoria a la que se accede todav\u00eda pertenece a la estructura mptcp_sock, e incluso desde una perspectiva funcional la recuperaci\u00f3n se complet\u00f3 con \u00e9xito, ya que la prueba de acceso directo siempre fallaba. Un cambio reciente de TCP no relacionado (commit d5fed5addb2b (\\\"tcp: reorganizar las variables de ruta r\u00e1pida de tcp_sock\\\")) expuso el problema, ya que la reorganizaci\u00f3n del campo tcp hace que el c\u00f3digo mptcp siempre omita la reinecci\u00f3n. Solucione el problema eliminando la llamada falsa: estamos en un camino lento, la optimizaci\u00f3n inicial demostr\u00f3 una vez m\u00e1s ser mala.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.