CVE-2024-47684
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
21/10/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tcp: check skb is non-NULL in tcp_rto_delta_us()<br />
<br />
We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic<br />
kernel that are running ceph and recently hit a null ptr dereference in<br />
tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also<br />
saw it getting hit from the RACK case as well. Here are examples of the oops<br />
messages we saw in each of those cases:<br />
<br />
Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020<br />
Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode<br />
Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page<br />
Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0<br />
Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI<br />
Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu<br />
Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023<br />
Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160<br />
Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3<br />
Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246<br />
Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000<br />
Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60<br />
Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8<br />
Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900<br />
Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30<br />
Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000<br />
Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0<br />
Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554<br />
Jul 26 15:05:02 rx [11061395.916786] Call Trace:<br />
Jul 26 15:05:02 rx [11061395.919488]<br />
Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f<br />
Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9<br />
Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380<br />
Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0<br />
Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50<br />
Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0<br />
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20<br />
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450<br />
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140<br />
Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90<br />
Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0<br />
Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40<br />
Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160<br />
Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160<br />
Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220<br />
Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240<br />
Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0<br />
Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240<br />
Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130<br />
Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280<br />
Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10<br />
Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30<br />
Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.13 (including) | 5.10.227 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.54 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.2 (excluding) |
| cpe:2.3:o:linux:linux_kernel:3.10.108:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/09aea49fbc7e755a915c405644f347137cdb62b0
- https://git.kernel.org/stable/c/16e0387d87fc858e34449fdf2b14ed5837f761db
- https://git.kernel.org/stable/c/570f7d8c9bf14f041152ba8353d4330ef7575915
- https://git.kernel.org/stable/c/5c4c03288a4aea705e36aa44119c13d7ee4dce99
- https://git.kernel.org/stable/c/81d18c152e3f82bacadf83bc0a471b2363b9cc18
- https://git.kernel.org/stable/c/96c4983eab2a5da235f7fff90beaf17b008ba029
- https://git.kernel.org/stable/c/ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc
- https://git.kernel.org/stable/c/c8770db2d54437a5f49417ae7b46f7de23d14db6
- https://git.kernel.org/stable/c/ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html