In the Linux kernel, the following vulnerability has been resolved: mptcp:
prevent BPF accessing lowat from a subflow socket. Alexei reported the
following splat: WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430
subflow_data_ready+0x147/0x1c0 Modules linked in: dummy bpf_testmod(O)
[last unloaded: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comm: test_progs
Tainted: GO 6.8.0-12873-g2c43c33bfd23 Call Trace: <TASK>
mptcp_set_rcvlowat+0x79/0x1d0 sk_setsockopt+0x6c0/0x1540
__bpf_setsockopt+0x6f/0x90 bpf_sock_ops_setsockopt+0x3c/0x90
bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b
bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132
bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86
__cgroup_bpf_run_filter_sock_ops+0xbc/0x250 tcp_connect+0x879/0x1160
tcp_v6_connect+0x50c/0x870 mptcp_connect+0x129/0x280
__inet_stream_connect+0xce/0x370 inet_stream_connect+0x36/0x50
bpf_trampoline_6442491565+0x49/0xef inet_stream_connect+0x5/0x50
__sys_connect+0x63/0x90 __x64_sys_connect+0x14/0x20 The root cause of the
issue is that bpf allows accessing mptcp-level proto_ops from a tcp subflow
scope. Fix the issue detecting the problematic call and preventing any
action.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-38.38 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1011.12 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1010.10 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1010.11 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1006.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-intel | < 6.8.0-1007.14 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-lowlatency | < 6.8.0-38.38.1 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-nvidia | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-oem-6.8 | < 6.8.0-1008.8 | UNKNOWN |
git.kernel.org/linus/fcf4692fa39e86a590c14a4af2de704e1d20a3b5 (6.9-rc3)
git.kernel.org/stable/c/3ffb1ab698376f09cc33101c07c1be229389fe29
git.kernel.org/stable/c/fcf4692fa39e86a590c14a4af2de704e1d20a3b5
launchpad.net/bugs/cve/CVE-2024-35894
nvd.nist.gov/vuln/detail/CVE-2024-35894
security-tracker.debian.org/tracker/CVE-2024-35894
ubuntu.com/security/notices/USN-6893-1
ubuntu.com/security/notices/USN-6893-2
ubuntu.com/security/notices/USN-6893-3
ubuntu.com/security/notices/USN-6918-1
www.cve.org/CVERecord?id=CVE-2024-35894