fkie_cve-2024-57843
Vulnerability from fkie_nvd
Published
2025-01-11 15:15
Modified
2025-01-11 15:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix overflow inside virtnet_rq_alloc When the frag just got a page, then may lead to regression on VM. Specially if the sysctl net.core.high_order_alloc_disable value is 1, then the frag always get a page when do refill. Which could see reliable crashes or scp failure (scp a file 100M in size to VM). The issue is that the virtnet_rq_dma takes up 16 bytes at the beginning of a new frag. When the frag size is larger than PAGE_SIZE, everything is fine. However, if the frag is only one page and the total size of the buffer and virtnet_rq_dma is larger than one page, an overflow may occur. The commit f9dac92ba908 ("virtio_ring: enable premapped mode whatever use_dma_api") introduced this problem. And we reverted some commits to fix this in last linux version. Now we try to enable it and fix this bug directly. Here, when the frag size is not enough, we reduce the buffer len to fix this problem.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/67a11de8965c2ab19e215fb6651d44847e068614
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6aacd1484468361d1d04badfe75f264fa5314864
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a8f7d6963768b114ec9644ff0148dde4c104e84b
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix overflow inside virtnet_rq_alloc\n\nWhen the frag just got a page, then may lead to regression on VM.\nSpecially if the sysctl net.core.high_order_alloc_disable value is 1,\nthen the frag always get a page when do refill.\n\nWhich could see reliable crashes or scp failure (scp a file 100M in size\nto VM).\n\nThe issue is that the virtnet_rq_dma takes up 16 bytes at the beginning\nof a new frag. When the frag size is larger than PAGE_SIZE,\neverything is fine. However, if the frag is only one page and the\ntotal size of the buffer and virtnet_rq_dma is larger than one page, an\noverflow may occur.\n\nThe commit f9dac92ba908 (\"virtio_ring: enable premapped mode whatever\nuse_dma_api\") introduced this problem. And we reverted some commits to\nfix this in last linux version. Now we try to enable it and fix this\nbug directly.\n\nHere, when the frag size is not enough, we reduce the buffer len to fix\nthis problem."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio-net: se corrige el desbordamiento dentro de virtnet_rq_alloc Cuando el fragmento acaba de obtener una p\u00e1gina, puede provocar una regresi\u00f3n en la m\u00e1quina virtual. Especialmente si el valor de sysctl net.core.high_order_alloc_disable es 1, entonces el fragmento siempre obtiene una p\u00e1gina cuando se rellena. Lo que podr\u00eda provocar fallos fiables o fallos de SCP (enviar un archivo de 100 M de tama\u00f1o a la m\u00e1quina virtual). El problema es que virtnet_rq_dma ocupa 16 bytes al principio de un nuevo fragmento. Cuando el tama\u00f1o del fragmento es mayor que PAGE_SIZE, todo est\u00e1 bien. Sin embargo, si el fragmento es solo una p\u00e1gina y el tama\u00f1o total del b\u00fafer y virtnet_rq_dma es mayor que una p\u00e1gina, puede producirse un desbordamiento. El commit f9dac92ba908 (\"virtio_ring: habilitar el modo premapeado sea cual sea el uso de_dma_api\") introdujo este problema. Y revertimos algunas confirmaciones para solucionar este problema en la \u00faltima versi\u00f3n de Linux. Ahora intentamos habilitarlo y solucionar este error directamente. Aqu\u00ed, cuando el tama\u00f1o del fragmento no es suficiente, reducimos la longitud del b\u00fafer para solucionar este problema."
    }
  ],
  "id": "CVE-2024-57843",
  "lastModified": "2025-01-11T15:15:07.170",
  "metrics": {},
  "published": "2025-01-11T15:15:07.170",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/67a11de8965c2ab19e215fb6651d44847e068614"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6aacd1484468361d1d04badfe75f264fa5314864"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a8f7d6963768b114ec9644ff0148dde4c104e84b"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.