CVE-2024-37356
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
21/06/2024
Last modified:
04/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().<br />
<br />
In dctcp_update_alpha(), we use a module parameter dctcp_shift_g<br />
as follows:<br />
<br />
alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);<br />
...<br />
delivered_ce /sys/module/tcp_dctcp/parameters/dctcp_shift_g<br />
-bash: echo: write error: Invalid argument<br />
<br />
[0]:<br />
UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12<br />
shift exponent 100 is too large for 32-bit type &#39;u32&#39; (aka &#39;unsigned int&#39;)<br />
CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br />
1.13.0-1ubuntu1.1 04/01/2014<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114<br />
ubsan_epilogue lib/ubsan.c:231 [inline]<br />
__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468<br />
dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143<br />
tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]<br />
tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948<br />
tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711<br />
tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937<br />
sk_backlog_rcv include/net/sock.h:1106 [inline]<br />
__release_sock+0x20f/0x350 net/core/sock.c:2983<br />
release_sock+0x61/0x1f0 net/core/sock.c:3549<br />
mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907<br />
mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976<br />
__mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072<br />
mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127<br />
inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437<br />
__sock_release net/socket.c:659 [inline]<br />
sock_close+0xc0/0x240 net/socket.c:1421<br />
__fput+0x41b/0x890 fs/file_table.c:422<br />
task_work_run+0x23b/0x300 kernel/task_work.c:180<br />
exit_task_work include/linux/task_work.h:38 [inline]<br />
do_exit+0x9c8/0x2540 kernel/exit.c:878<br />
do_group_exit+0x201/0x2b0 kernel/exit.c:1027<br />
__do_sys_exit_group kernel/exit.c:1038 [inline]<br />
__se_sys_exit_group kernel/exit.c:1036 [inline]<br />
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x67/0x6f<br />
RIP: 0033:0x7f6c2b5005b6<br />
Code: Unable to access opcode bytes at 0x7f6c2b50058c.<br />
RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7<br />
RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6<br />
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001<br />
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0<br />
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0<br />
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.18 (including) | 4.19.316 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.278 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.219 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.161 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.93 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
- https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
- https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
- https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66
- https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
- https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
- https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
- https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
- https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
- https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
- https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
- https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66
- https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
- https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
- https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
- https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html