cve-2024-36889
Vulnerability from cvelistv5
Published
2024-05-30 15:28
Modified
2024-11-05 09:27
Severity ?
Summary
mptcp: ensure snd_nxt is properly initialized on connect
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36889",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:29:56.745706Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:33:02.390Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:43:49.113Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99951b62bf20",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            },
            {
              "lessThan": "dc941fec0719",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            },
            {
              "lessThan": "39ca83ed73db",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            },
            {
              "lessThan": "aa0c07c1f20e",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            },
            {
              "lessThan": "592f69b41766",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            },
            {
              "lessThan": "fb7a0d334894",
              "status": "affected",
              "version": "8fd738049ac3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.218",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure snd_nxt is properly initialized on connect\n\nChristoph reported a splat hinting at a corrupted snd_una:\n\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Modules linked in:\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  Workqueue: events mptcp_worker\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\n  \t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\n  \t\u003c0f\u003e 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\n  Call Trace:\n   \u003cTASK\u003e\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\n   kthread+0x121/0x170 kernel/kthread.c:388\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n   \u003c/TASK\u003e\n\nWhen fallback to TCP happens early on a client socket, snd_nxt\nis not yet initialized and any incoming ack will copy such value\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\nre-injection after such ack, that would unconditionally trigger a send\nbuffer cleanup using \u0027bad\u0027 snd_una values.\n\nWe could easily disable re-injection for fallback sockets, but such\ndumb behavior already helped catching a few subtle issues and a very\nlow to zero impact in practice.\n\nInstead address the issue always initializing snd_nxt (and write_seq,\nfor consistency) at connect time."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:27:32.820Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193"
        },
        {
          "url": "https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f"
        },
        {
          "url": "https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386"
        }
      ],
      "title": "mptcp: ensure snd_nxt is properly initialized on connect",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36889",
    "datePublished": "2024-05-30T15:28:56.794Z",
    "dateReserved": "2024-05-30T15:25:07.065Z",
    "dateUpdated": "2024-11-05T09:27:32.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-36889\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-30T16:15:12.410\",\"lastModified\":\"2024-11-05T10:17:09.633\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: ensure snd_nxt is properly initialized on connect\\n\\nChristoph reported a splat hinting at a corrupted snd_una:\\n\\n  WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n  Modules linked in:\\n  CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n  Workqueue: events mptcp_worker\\n  RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005\\n  Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8\\n  \\t8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe\\n  \\t\u003c0f\u003e 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9\\n  RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293\\n  RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4\\n  RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001\\n  RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\\n  R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000\\n  R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000\\n  FS:  0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0\\n  Call Trace:\\n   \u003cTASK\u003e\\n   __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [inline]\\n   mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [inline]\\n   __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615\\n   mptcp_worker+0x434/0x740 net/mptcp/protocol.c:2767\\n   process_one_work+0x1e0/0x560 kernel/workqueue.c:3254\\n   process_scheduled_works kernel/workqueue.c:3335 [inline]\\n   worker_thread+0x3c7/0x640 kernel/workqueue.c:3416\\n   kthread+0x121/0x170 kernel/kthread.c:388\\n   ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\\n   \u003c/TASK\u003e\\n\\nWhen fallback to TCP happens early on a client socket, snd_nxt\\nis not yet initialized and any incoming ack will copy such value\\ninto snd_una. If the mptcp worker (dumbly) tries mptcp-level\\nre-injection after such ack, that would unconditionally trigger a send\\nbuffer cleanup using \u0027bad\u0027 snd_una values.\\n\\nWe could easily disable re-injection for fallback sockets, but such\\ndumb behavior already helped catching a few subtle issues and a very\\nlow to zero impact in practice.\\n\\nInstead address the issue always initializing snd_nxt (and write_seq,\\nfor consistency) at connect time.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mptcp: aseg\u00farese de que snd_nxt se inicialice correctamente al conectar Christoph inform\u00f3 un s\u00edmbolo que indica un snd_una da\u00f1ado: ADVERTENCIA: CPU: 1 PID: 38 en net/mptcp/protocol.c:1005 __mptcp_clean_una +0x4b3/0x620 net/mptcp/protocol.c:1005 M\u00f3dulos vinculados en: CPU: 1 PID: 38 Comm: kworker/1:1 No contaminado 6.9.0-rc1-gbbeac67456c9 #59 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 01/04/2014 Cola de trabajo: eventos mptcp_worker RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 C\u00f3digo: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe \u0026lt;0f\u0026gt; 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: 3cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000000000 R11: fefefefefefefeff R12 : ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 00000000000000000(0000) GS:ffff88813bd00000(0000) nlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Rastreo de llamadas:  __mptcp_clean_una_wakeup net/mptcp/protocol.c:1055 [en l\u00ednea] mptcp_clean_una_wakeup net/mptcp/protocol.c:1062 [en l\u00ednea] __mptcp_retrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcp_worker+0x434/ 0x740 neto/ mptcp/protocol.c:2767 Process_one_work+0x1e0/0x560 kernel/workqueue.c:3254 Process_scheduled_works kernel/workqueue.c:3335 [en l\u00ednea] work_thread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread .c:388 ret_from_fork+0x44/0x50 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243  Cuando el retorno a TCP ocurre temprano en un socket de cliente , snd_nxt a\u00fan no est\u00e1 inicializado y cualquier confirmaci\u00f3n entrante copiar\u00e1 dicho valor en snd_una. Si el trabajador mptcp (tontamente) intenta la reinyecci\u00f3n a nivel de mptcp despu\u00e9s de tal confirmaci\u00f3n, eso desencadenar\u00eda incondicionalmente una sanitizaci\u00f3n del b\u00fafer de env\u00edo utilizando valores snd_una \u0027incorrectos\u0027. Podr\u00edamos desactivar f\u00e1cilmente la reinyecci\u00f3n para los sockets de respaldo, pero un comportamiento tan tonto ya ayud\u00f3 a detectar algunos problemas sutiles y un impacto de muy bajo a cero en la pr\u00e1ctica. En su lugar, resuelva el problema siempre inicializando snd_nxt (y write_seq, para mantener la coherencia) en el momento de la conexi\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/39ca83ed73db9edcc6d70c0dc7a73085a4725012\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/592f69b41766d366dbb8ff4ef5a67c4396527bbe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99951b62bf20cec9247f633a3bea898338b9e5b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/aa0c07c1f20e05b30019bff083ec43665536f06f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc941fec0719d0471a5902424d6b2a17df233193\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fb7a0d334894206ae35f023a82cad5a290fd7386\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.