Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-26640

Disclosure Date: March 18, 2024 •

CVE-2024-26640 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

tcp: add sanity checks to rx zerocopy

TCP rx zerocopy intent is to map pages initially allocated
from NIC drivers, not pages owned by a fs.

This patch adds to can_map_frag() these additional checks:

Page must not be a compound one.
page->mapping must be NULL.

This fixes the panic reported by ZhangPeng.

syzbot was able to loopback packets built with sendfile(),
mapping pages owned by an ext4 file to TCP rx zerocopy.

r3 = socket$inet_tcp(0x2, 0x1, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0) r4 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10) connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=‘./file0\x00’,

0x181e42, 0x0)

fallocate(r5, 0x0, 0x0, 0x85b8)
sendfile(r4, r5, 0x0, 0x8ba0)
getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,

&(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)

r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)=‘./file0\x00’,

0x181e42, 0x0)

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

Products

References

Canonical

CVE-2024-26640 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26640)

Miscellaneous

https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f

https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e

https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e

https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760

https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60

https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Rapid7

Unknown

CVE-2024-26640

Unknown

Unknown

None

Low

Local

CVE-2024-26640

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-26640

Unknown

Unknown

None

Low

Local

CVE-2024-26640

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification