vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-41048): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Jul 29, 2024	Sep 16, 2024	Feb 20, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Jul 29, 2024

Added

Sep 16, 2024

Modified

Feb 20, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

skmsg: Skip zero length skb in sk_msg_recvmsg

When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch
platform, the following kernel panic occurs:

[...]
Oops[#1]:
CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18
Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018
... ...
ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560
ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0
CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
PRMD: 0000000c (PPLV0 +PIE +PWE)
EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
BADV: 0000000000000040
PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)
Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack
Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)
Stack : ...
Call Trace:
[ [] sk_msg_recvmsg+0x120/0x560
[] tcp_bpf_recvmsg_parser+0x170/0x4e0
[] inet_recvmsg+0x54/0x100
[] sock_recvmsg+0x7c/0xe0
[] __sys_recvfrom+0x108/0x1c0
[] sys_recvfrom+0x1c/0x40
[] do_syscall+0x8c/0xc0
[] handle_syscall+0xc4/0x160
Code: ...
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception
Kernel relocated by 0x3510000
.text @ 0x9000000003710000
.data @ 0x9000000004d70000
.bss @ 0x9000000006469400
---[ end Kernel panic - not syncing: Fatal exception ]---
[...]

This crash happens every time when running sockmap_skb_verdict_shutdown
subtest in sockmap_basic.

This crash is because a NULL pointer is passed to page_address() in the
sk_msg_recvmsg(). Due to the different implementations depending on the
architecture, page_address(NULL) will trigger a panic on Loongarch
platform but not on x86 platform. So this bug was hidden on x86 platform
for a while, but now it is exposed on Loongarch platform. The root cause
is that a zero length skb (skb->len == 0) was put on the queue.

This zero length skb is a TCP FIN packet, which was sent by shutdown(),
invoked in test_sockmap_skb_verdict_shutdown():

shutdown(p1, SHUT_WR);

In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no
page is put to this sge (see sg_set_page in sg_set_page), but this empty
sge is queued into ingress_msg list.

And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by
sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it
to kmap_local_page() and to page_address(), then kernel panics.

To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),
if copy is zero, that means it's a zero length skb, skip invoking
copy_page_to_iter(). We are using the EFAULT return triggered by
copy_page_to_iter to check for is_fin in tcp_bpf.c.

Solution(s)

ubuntu-upgrade-linux-image-5-15-0-1035-xilinx-zynqmpubuntu-upgrade-linux-image-5-15-0-1052-gkeopubuntu-upgrade-linux-image-5-15-0-1062-ibmubuntu-upgrade-linux-image-5-15-0-1062-raspiubuntu-upgrade-linux-image-5-15-0-1064-intel-iotgubuntu-upgrade-linux-image-5-15-0-1064-nvidiaubuntu-upgrade-linux-image-5-15-0-1064-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1066-gkeubuntu-upgrade-linux-image-5-15-0-1066-kvmubuntu-upgrade-linux-image-5-15-0-1067-oracleubuntu-upgrade-linux-image-5-15-0-1068-gcpubuntu-upgrade-linux-image-5-15-0-1069-awsubuntu-upgrade-linux-image-5-15-0-1072-azureubuntu-upgrade-linux-image-5-15-0-1072-azure-fdeubuntu-upgrade-linux-image-5-15-0-121-genericubuntu-upgrade-linux-image-5-15-0-121-generic-64kubuntu-upgrade-linux-image-5-15-0-121-generic-lpaeubuntu-upgrade-linux-image-5-15-0-121-lowlatencyubuntu-upgrade-linux-image-5-15-0-121-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1002-gkeopubuntu-upgrade-linux-image-6-8-0-1013-gkeubuntu-upgrade-linux-image-6-8-0-1014-ibmubuntu-upgrade-linux-image-6-8-0-1014-raspiubuntu-upgrade-linux-image-6-8-0-1015-oracleubuntu-upgrade-linux-image-6-8-0-1015-oracle-64kubuntu-upgrade-linux-image-6-8-0-1016-azureubuntu-upgrade-linux-image-6-8-0-1016-azure-fdeubuntu-upgrade-linux-image-6-8-0-1016-gcpubuntu-upgrade-linux-image-6-8-0-1016-oemubuntu-upgrade-linux-image-6-8-0-1017-azureubuntu-upgrade-linux-image-6-8-0-1017-azure-fdeubuntu-upgrade-linux-image-6-8-0-1017-gcpubuntu-upgrade-linux-image-6-8-0-1017-nvidiaubuntu-upgrade-linux-image-6-8-0-1017-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1017-nvidia-lowlatencyubuntu-upgrade-linux-image-6-8-0-1017-nvidia-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1018-awsubuntu-upgrade-linux-image-6-8-0-48-genericubuntu-upgrade-linux-image-6-8-0-48-generic-64kubuntu-upgrade-linux-image-6-8-0-48-lowlatencyubuntu-upgrade-linux-image-6-8-0-48-lowlatency-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-lts-22-04ubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-20-04ubuntu-upgrade-linux-image-generic-64k-hwe-22-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-20-04ubuntu-upgrade-linux-image-generic-hwe-22-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lpae-hwe-20-04ubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-gkeop-6-8ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-22-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-6-8ubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-64k-6-8ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04ubuntu-upgrade-linux-image-nvidia-hwe-22-04ubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-lowlatency-64kubuntu-upgrade-linux-image-oem-20-04ubuntu-upgrade-linux-image-oem-20-04bubuntu-upgrade-linux-image-oem-20-04cubuntu-upgrade-linux-image-oem-20-04dubuntu-upgrade-linux-image-oem-22-04ubuntu-upgrade-linux-image-oem-22-04aubuntu-upgrade-linux-image-oem-22-04bubuntu-upgrade-linux-image-oem-22-04cubuntu-upgrade-linux-image-oem-22-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-20-04ubuntu-upgrade-linux-image-virtual-hwe-22-04ubuntu-upgrade-linux-image-virtual-hwe-24-04ubuntu-upgrade-linux-image-xilinx-zynqmp

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today