ghsa-q383-xwj3-rcf5
Vulnerability from github
Published
2025-02-27 03:34
Modified
2025-02-27 03:34
Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: correct handling of extreme memory squeeze

Testing with iperf3 using the "pasta" protocol splicer has revealed a problem in the way tcp handles window advertising in extreme memory squeeze situations.

Under memory pressure, a socket endpoint may temporarily advertise a zero-sized window, but this is not stored as part of the socket data. The reasoning behind this is that it is considered a temporary setting which shouldn't influence any further calculations.

However, if we happen to stall at an unfortunate value of the current window size, the algorithm selecting a new value will consistently fail to advertise a non-zero window once we have freed up enough memory. This means that this side's notion of the current window size is different from the one last advertised to the peer, causing the latter to not send any data to resolve the sitution.

The problem occurs on the iperf3 server side, and the socket in question is a completely regular socket with the default settings for the fedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.

The following excerpt of a logging session, with own comments added, shows more in detail what is happening:

// tcp_v4_rcv(->) // tcp_rcv_established(->) 5201<->39222: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====

5201<->39222: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0]

                    [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]

5201<->39222: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0

5201<->39222: ADVERTISING WIN 0, ACK_SEQ: 265600160

// Receive queue is at 85 buffers and we are out of memory. // We drop the incoming buffer, although it is in sequence, and decide // to send an advertisement with a window of zero. // We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means // we unconditionally shrink the window.

5201<->39222: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 5201<->39222: new_win = 0, win_now = 131184, 2 * win_now = 262368: new_win >= (2 * win_now) ? --> time_to_ack = 0: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160]

              [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]
              [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0]
              returning 6104 bytes

// After each read, the algorithm for calculating the new receive // window in __tcp_cleanup_rbuf() finds it is too small to advertise // or to update tp->rcv_wnd. // Meanwhile, the peer thinks the window is zero, and will not send // any more data to trigger an update from the interrupt mode side.

5201<->39222: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160 5201<->39222: [new_win = 262144, win_now = 131184, 2 * win_n ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21710"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:14Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: correct handling of extreme memory squeeze\n\nTesting with iperf3 using the \"pasta\" protocol splicer has revealed\na problem in the way tcp handles window advertising in extreme memory\nsqueeze situations.\n\nUnder memory pressure, a socket endpoint may temporarily advertise\na zero-sized window, but this is not stored as part of the socket data.\nThe reasoning behind this is that it is considered a temporary setting\nwhich shouldn\u0027t influence any further calculations.\n\nHowever, if we happen to stall at an unfortunate value of the current\nwindow size, the algorithm selecting a new value will consistently fail\nto advertise a non-zero window once we have freed up enough memory.\nThis means that this side\u0027s notion of the current window size is\ndifferent from the one last advertised to the peer, causing the latter\nto not send any data to resolve the sitution.\n\nThe problem occurs on the iperf3 server side, and the socket in question\nis a completely regular socket with the default settings for the\nfedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.\n\nThe following excerpt of a logging session, with own comments added,\nshows more in detail what is happening:\n\n//              tcp_v4_rcv(-\u003e)\n//                tcp_rcv_established(-\u003e)\n[5201\u003c-\u003e39222]:     ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====\n[5201\u003c-\u003e39222]:     tcp_data_queue(-\u003e)\n[5201\u003c-\u003e39222]:        DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM\n                       [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n                       [copied_seq 259909392-\u003e260034360 (124968), unread 5565800, qlen 85, ofoq 0]\n                       [OFO queue: gap: 65480, len: 0]\n[5201\u003c-\u003e39222]:     tcp_data_queue(\u003c-)\n[5201\u003c-\u003e39222]:     __tcp_transmit_skb(-\u003e)\n                        [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n[5201\u003c-\u003e39222]:       tcp_select_window(-\u003e)\n[5201\u003c-\u003e39222]:         (inet_csk(sk)-\u003eicsk_ack.pending \u0026 ICSK_ACK_NOMEM) ? --\u003e TRUE\n                        [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n                        returning 0\n[5201\u003c-\u003e39222]:       tcp_select_window(\u003c-)\n[5201\u003c-\u003e39222]:       ADVERTISING WIN 0, ACK_SEQ: 265600160\n[5201\u003c-\u003e39222]:     [__tcp_transmit_skb(\u003c-)\n[5201\u003c-\u003e39222]:   tcp_rcv_established(\u003c-)\n[5201\u003c-\u003e39222]: tcp_v4_rcv(\u003c-)\n\n// Receive queue is at 85 buffers and we are out of memory.\n// We drop the incoming buffer, although it is in sequence, and decide\n// to send an advertisement with a window of zero.\n// We don\u0027t update tp-\u003ercv_wnd and tp-\u003ercv_wup accordingly, which means\n// we unconditionally shrink the window.\n\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(-\u003e)\n[5201\u003c-\u003e39222]:   __tcp_cleanup_rbuf(-\u003e) tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160\n[5201\u003c-\u003e39222]:     [new_win = 0, win_now = 131184, 2 * win_now = 262368]\n[5201\u003c-\u003e39222]:     [new_win \u003e= (2 * win_now) ? --\u003e time_to_ack = 0]\n[5201\u003c-\u003e39222]:     NOT calling tcp_send_ack()\n                    [tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160]\n[5201\u003c-\u003e39222]:   __tcp_cleanup_rbuf(\u003c-)\n                  [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184]\n                  [copied_seq 260040464-\u003e260040464 (0), unread 5559696, qlen 85, ofoq 0]\n                  returning 6104 bytes\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(\u003c-)\n\n// After each read, the algorithm for calculating the new receive\n// window in __tcp_cleanup_rbuf() finds it is too small to advertise\n// or to update tp-\u003ercv_wnd.\n// Meanwhile, the peer thinks the window is zero, and will not send\n// any more data to trigger an update from the interrupt mode side.\n\n[5201\u003c-\u003e39222]: tcp_recvmsg_locked(-\u003e)\n[5201\u003c-\u003e39222]:   __tcp_cleanup_rbuf(-\u003e) tp-\u003ercv_wup: 265469200, tp-\u003ercv_wnd: 262144, tp-\u003ercv_nxt 265600160\n[5201\u003c-\u003e39222]:     [new_win = 262144, win_now = 131184, 2 * win_n\n---truncated---",
  "id": "GHSA-q383-xwj3-rcf5",
  "modified": "2025-02-27T03:34:01Z",
  "published": "2025-02-27T03:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21710"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1dd823a46e25ffde1492c391934f69a9e5eb574f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c670bdfa58e48abad1d5b6ca1ee843ca91f7303"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b01e7ceb35dcb7ffad413da657b78c3340a09039"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4055e2fe96f4ef101d8af0feb056d78d77514ff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.