CVE-2024-50034

一、漏洞信息
 漏洞编号：[CVE-2024-50034](https://nvd.nist.gov/vuln/detail/CVE-2024-50034)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：5.5 Medium
  Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMCEric report a panic on IPPROTO_SMC, and give the factsthat when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.Bug: Unable to handle kernel NULL pointer dereference at virtual address0000000000000000Mem abort info:ESR = 0x0000000086000005EC = 0x21: IABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x05: level 1 translation faultuser pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,pud=0000000000000000Internal error: Oops: 0000000086000005 [#1] PREEMPT SMPModules linked in:CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted6.11.0-rc7-syzkaller-g5f5673607153 #0Hardware name: Google Google Compute Engine/Google Compute Engine,BIOS Google 08/06/2024pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : 0x0lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910sp : ffff80009b887a90x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79eex17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003fx5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000Call trace:0x0netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973security_socket_post_create+0x94/0xd4 security/security.c:4425__sock_create+0x4c8/0x884 net/socket.c:1587sock_create net/socket.c:1622 [inline]__sys_socket_create net/socket.c:1659 [inline]__sys_socket+0x134/0x340 net/socket.c:1706__do_sys_socket net/socket.c:1720 [inline]__se_sys_socket net/socket.c:1718 [inline]__arm64_sys_socket+0x7c/0x94 net/socket.c:1718__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598Code: ???????? ???????? ???????? ???????? (????????)---[ end trace 0000000000000000 ]---This patch add a toy implementation that performs a simple return toprevent such panic. This is because MSS can be set in sock_create_kernor smc_setsockopt, similar to how it s done in AF_SMC. However, forAF_SMC, there is currently no way to synchronize MSS within__sys_connect_file. This toy implementation lays the groundwork for usto support such feature for IPPROTO_SMC in the future.
 漏洞公开时间：2024-10-22 04:15:16
 漏洞创建时间：2024-10-22 04:59:59
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-50034
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50034 | https://bugzilla.suse.com/show_bug.cgi?id=1231913 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-50034 | https://bugzilla.suse.com/show_bug.cgi?id=1231913 |
| suse_bugzilla | https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e | https://bugzilla.suse.com/show_bug.cgi?id=1231913 |
| suse_bugzilla | https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2 | https://bugzilla.suse.com/show_bug.cgi?id=1231913 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-50034.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1231913 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50034-46ef@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2320606 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-50034 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2024-50034 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e |  | nvd |
|  |  | https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2 |  | nvd |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMCEric report a panic on IPPROTO_SMC, and give the factsthat when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.Bug: Unable to handle kernel NULL pointer dereference at virtual address0000000000000000Mem abort info:ESR = 0x0000000086000005EC = 0x21: IABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x05: level 1 translation faultuser pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,pud=0000000000000000Internal error: Oops: 0000000086000005 [#1] PREEMPT SMPModules linked in:CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted6.11.0-rc7-syzkaller-g5f5673607153 #0Hardware name: Google Google Compute Engine/Google Compute Engine,BIOS Google 08/06/2024pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : 0x0lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910sp : ffff80009b887a90x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79eex17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003fx5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000Call trace:0x0netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973security_socket_post_create+0x94/0xd4 security/security.c:4425__sock_create+0x4c8/0x884 net/socket.c:1587sock_create net/socket.c:1622 [inline]__sys_socket_create net/socket.c:1659 [inline]__sys_socket+0x134/0x340 net/socket.c:1706__do_sys_socket net/socket.c:1720 [inline]__se_sys_socket net/socket.c:1718 [inline]__arm64_sys_socket+0x7c/0x94 net/socket.c:1718__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598Code: ???????? ???????? ???????? ???????? (????????)---[ end trace 0000000000000000 ]---This patch add a toy implementation that performs a simple return toprevent such panic. This is because MSS can be set in sock_create_kernor smc_setsockopt, similar to how it s done in AF_SMC. However, forAF_SMC, there is currently no way to synchronize MSS within__sys_connect_file. This toy implementation lays the groundwork for usto support such feature for IPPROTO_SMC in the future.
 openEuler评分：
  5.5
 Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):不受影响
2.openEuler-22.03-LTS-SP1(5.10.0):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.master(6.6.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响
8.openEuler-24.03-LTS-SP1(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
8.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-20.03-LTS-SP4(4.19.90):不受影响-漏洞代码不存在
2.openEuler-22.03-LTS-SP1(5.10.0):不受影响-漏洞代码不存在
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响-漏洞代码不存在
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响-漏洞代码不存在
5.master(6.6.0):不受影响-漏洞代码不存在
6.openEuler-24.03-LTS(6.6.0):不受影响-漏洞代码不存在
7.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不存在
8.openEuler-24.03-LTS-SP1(6.6.0):不受影响-漏洞代码不存在

src-openEuler/kernel
Closed

Content Risk Flag

Comments (10)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2024-50034

Comments (10)

Search

src-openEuler/kernel
Closed