CVE-2024-35890 gro: fix ownership transfer

2024-05-1908:34:46

Linux

raw.githubusercontent.com

linux kernel

vulnerability

fix

ownership transfer

groed

fraglist

segmented

destructor

skb_segment_list

orphaned

socket

bug

kernel

rip

ip6_rcv_core

call trace

ipv6_list_rcv

netif_receive_skb_list_internal

napi_complete_done

gro_cell_poll

skb_gro_receive

change

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

gro: fix ownership transfer

If packets are GROed with fraglist they might be segmented later on and
continue their journey in the stack. In skb_segment_list those skbs can
be reused as-is. This is an issue as their destructor was removed in
skb_gro_receive_list but not the reference to their socket, and then
they can’t be orphaned. Fix this by also removing the reference to the
socket.

For example this could be observed,

kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)
RIP: 0010:ip6_rcv_core+0x11bc/0x19a0
Call Trace:
ipv6_list_rcv+0x250/0x3f0
__netif_receive_skb_list_core+0x49d/0x8f0
netif_receive_skb_list_internal+0x634/0xd40
napi_complete_done+0x1d2/0x7d0
gro_cell_poll+0x118/0x1f0

A similar construction is found in skb_gro_receive, apply the same
change there.