Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-36905

Severity CVSS v4.0:
Pending analysis
Type:
CWE-369 Divide By Zero
Publication date:
30/05/2024
Last modified:
22/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets<br /> <br /> TCP_SYN_RECV state is really special, it is only used by<br /> cross-syn connections, mostly used by fuzzers.<br /> <br /> In the following crash [1], syzbot managed to trigger a divide<br /> by zero in tcp_rcv_space_adjust()<br /> <br /> A socket makes the following state transitions,<br /> without ever calling tcp_init_transfer(),<br /> meaning tcp_init_buffer_space() is also not called.<br /> <br /> TCP_CLOSE<br /> connect()<br /> TCP_SYN_SENT<br /> TCP_SYN_RECV<br /> shutdown() -&gt; tcp_shutdown(sk, SEND_SHUTDOWN)<br /> TCP_FIN_WAIT1<br /> <br /> To fix this issue, change tcp_shutdown() to not<br /> perform a TCP_SYN_RECV -&gt; TCP_FIN_WAIT1 transition,<br /> which makes no sense anyway.<br /> <br /> When tcp_rcv_state_process() later changes socket state<br /> from TCP_SYN_RECV to TCP_ESTABLISH, then look at<br /> sk-&gt;sk_shutdown to finally enter TCP_FIN_WAIT1 state,<br /> and send a FIN packet from a sane socket state.<br /> <br /> This means tcp_send_fin() can now be called from BH<br /> context, and must use GFP_ATOMIC allocations.<br /> <br /> [1]<br /> divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024<br /> RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767<br /> Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48<br /> RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246<br /> RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7<br /> R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30<br /> R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da<br /> FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513<br /> tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578<br /> inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680<br /> sock_recvmsg_nosec net/socket.c:1046 [inline]<br /> sock_recvmsg+0x109/0x280 net/socket.c:1068<br /> ____sys_recvmsg+0x1db/0x470 net/socket.c:2803<br /> ___sys_recvmsg net/socket.c:2845 [inline]<br /> do_recvmmsg+0x474/0xae0 net/socket.c:2939<br /> __sys_recvmmsg net/socket.c:3018 [inline]<br /> __do_sys_recvmmsg net/socket.c:3041 [inline]<br /> __se_sys_recvmmsg net/socket.c:3034 [inline]<br /> __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7faeb6363db9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9<br /> RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005<br /> RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c<br /> R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.12.1 (including) 4.19.314 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.276 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.217 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.159 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.91 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.31 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.10 (excluding)
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools