CVE-2024-26675
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/04/2024
Last modified:
17/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ppp_async: limit MRU to 64K<br />
<br />
syzbot triggered a warning [1] in __alloc_pages():<br />
<br />
WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)<br />
<br />
Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K")<br />
<br />
Adopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)<br />
<br />
[1]:<br />
<br />
WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br />
Modules linked in:<br />
CPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023<br />
Workqueue: events_unbound flush_to_ldisc<br />
pstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br />
lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537<br />
sp : ffff800093967580<br />
x29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000<br />
x26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0<br />
x23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8<br />
x20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120<br />
x17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005<br />
x14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000<br />
x11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001<br />
x8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f<br />
x5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020<br />
x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0<br />
Call trace:<br />
__alloc_pages+0x308/0x698 mm/page_alloc.c:4543<br />
__alloc_pages_node include/linux/gfp.h:238 [inline]<br />
alloc_pages_node include/linux/gfp.h:261 [inline]<br />
__kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926<br />
__do_kmalloc_node mm/slub.c:3969 [inline]<br />
__kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001<br />
kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590<br />
__alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651<br />
__netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715<br />
netdev_alloc_skb include/linux/skbuff.h:3235 [inline]<br />
dev_alloc_skb include/linux/skbuff.h:3248 [inline]<br />
ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]<br />
ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341<br />
tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390<br />
tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37<br />
receive_buf drivers/tty/tty_buffer.c:444 [inline]<br />
flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494<br />
process_one_work+0x694/0x1204 kernel/workqueue.c:2633<br />
process_scheduled_works kernel/workqueue.c:2706 [inline]<br />
worker_thread+0x938/0xef4 kernel/workqueue.c:2787<br />
kthread+0x288/0x310 kernel/kthread.c:388<br />
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.12 (including) | 4.19.307 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.269 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.210 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.149 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.78 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8
- https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16
- https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed
- https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982
- https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3
- https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719
- https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b
- https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8
- https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8
- https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16
- https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed
- https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982
- https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3
- https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719
- https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b
- https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html