Bug 2272834 (CVE-2024-26677)
| Summary: | CVE-2024-26677 kernel: rxrpc: Fix delayed ACKs to not set the reference serial number | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jaltman, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 6.6.17, kernel 6.7.5, kernel 6.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability in the Linux kernel affects the Remote Procedure Call over the Rx protocol (rxrpc) subsystem. The flaw involves an issue with delayed acknowledgments (ACKs) in which the system mistakenly sets the reference serial number. This reference serial number is not valid in this context and cannot be used as a Round Trip Time (RTT) reference, leading to potential disruptions in network communication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2272835 | ||
| Bug Blocks: | 2272924 | ||
|
Description
Mauro Matteo Cascella
2024-04-02 23:56:28 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2272835] This was fixed for Fedora with the 6.7.5 stable kernel updates. I do not see a security problem in this fix. The upstream commit e7870cf13d20f56bfc19f9c3e89707c69cf104ef has been merged to centos-stream-9 as commit 822afb772db3080089dcfc9cd619f46be198d491. The upstream commit was authored by David Howells in response to a bug report from me. Neither of us deem this change worthy of a CVE. Prior this change "rxrpc" remembered the serial number of the incoming DATA packet that resulted in the scheduling of a delayed ACK. ACK transmission is delayed either when another DATA packet is required to satisfy the ACK every other DATA packet rule; or when all of the incoming DATA packets have been received and it is hoped that a response DATA packet can be sent in place of the delayed ACK. When constructing an ACK packet with reason RX_ACK_DELAY setting the serial number of the DATA packet that triggered the delayed ACK to be scheduled is unnecessary. All of the RxRPC implementations filter out ACK packets with reason RX_ACK_DELAY when using ACKs to estimate round trip times. The aforementioned change is not a security issue but a performance optimization. As described in https://bugzilla.redhat.com/show_bug.cgi?id=2272834#c8, there is no vulnerability fixed by upstream commit e7870cf13d20f56bfc19f9c3e89707c69cf104ef. Can someone with privileges please close this ticket as NOT A BUG. |