Bug 2324879 (CVE-2024-50258) - CVE-2024-50258 kernel: net: fix crash when config small gso_max_size/gso_ipv4_max_size
Summary: CVE-2024-50258 kernel: net: fix crash when config small gso_max_size/gso_ipv4...
Keywords:
Status: NEW
Alias: CVE-2024-50258
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2325100
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-09 11:02 UTC by OSIDB Bzimport
Modified: 2024-11-21 18:58 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-11-09 11:02:53 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: fix crash when config small gso_max_size/gso_ipv4_max_size

Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
because sk->sk_gso_max_size would be much bigger than device limits.
Call Trace:
tcp_write_xmit
    tso_segs = tcp_init_tso_segs(skb, mss_now);
        tcp_set_skb_tso_segs
            tcp_skb_pcount_set
                // skb->len = 524288, mss_now = 8
                // u16 tso_segs = 524288/8 = 65535 -> 0
                tso_segs = DIV_ROUND_UP(skb->len, mss_now)
    BUG_ON(!tso_segs)
Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
Comment 1 Avinash Hanwate 2024-11-11 05:45:30 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024110939-CVE-2024-50258-1b4c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.