CVE-2024-49949 (GCVE-0-2024-49949)

Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2025-11-03 22:23
VLAI?
Title
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
Summary
In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---
Severity ?
No CVSS data available.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 960b360ca7463921c1a6b72e7066a706d6406223 , < d70ca7598943572d5e384227bd268acb5109bf72 (git)
Affected: fb2dbc124a7f800cd0e4f901a1bbb769a017104c , < 1598d70ad9c7d0a4d9d54b82094e9f45908fda6d (git)
Affected: 8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772 , < ba26060a29d3ca1bfc737aa79f7125128f35147c (git)
Affected: 0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3 , < 939c88cbdc668dadd8cfa7a35d9066331239041c (git)
Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < d6114993e0a89fde84a60a60a8329a571580b174 (git)
Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < 25ab0b87dbd89cecef8a9c60a02bb97832e471d1 (git)
Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < f959cce8a2a04ce776aa8b78e83ce339e0d7fbac (git)
Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < 81fd007dcd47c34471766249853e4d4bce8eea4b (git)
Affected: cf9acc90c80ecbee00334aa85d92f4e74014bcff , < c20029db28399ecc50e556964eaba75c43b1e2f1 (git)
Affected: 2128303bff700c857739a0af8cc39c1a41840650 (git)
Create a notification for this product.
    Linux Linux Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 4.19.323 , ≤ 4.19.* (semver)
Unaffected: 5.4.285 , ≤ 5.4.* (semver)
Unaffected: 5.10.227 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.55 , ≤ 6.6.* (semver)
Unaffected: 6.10.14 , ≤ 6.10.* (semver)
Unaffected: 6.11.3 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49949",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:36:39.259120Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:38:49.361Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:23:29.408Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d70ca7598943572d5e384227bd268acb5109bf72",
              "status": "affected",
              "version": "960b360ca7463921c1a6b72e7066a706d6406223",
              "versionType": "git"
            },
            {
              "lessThan": "1598d70ad9c7d0a4d9d54b82094e9f45908fda6d",
              "status": "affected",
              "version": "fb2dbc124a7f800cd0e4f901a1bbb769a017104c",
              "versionType": "git"
            },
            {
              "lessThan": "ba26060a29d3ca1bfc737aa79f7125128f35147c",
              "status": "affected",
              "version": "8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772",
              "versionType": "git"
            },
            {
              "lessThan": "939c88cbdc668dadd8cfa7a35d9066331239041c",
              "status": "affected",
              "version": "0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3",
              "versionType": "git"
            },
            {
              "lessThan": "d6114993e0a89fde84a60a60a8329a571580b174",
              "status": "affected",
              "version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
              "versionType": "git"
            },
            {
              "lessThan": "25ab0b87dbd89cecef8a9c60a02bb97832e471d1",
              "status": "affected",
              "version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
              "versionType": "git"
            },
            {
              "lessThan": "f959cce8a2a04ce776aa8b78e83ce339e0d7fbac",
              "status": "affected",
              "version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
              "versionType": "git"
            },
            {
              "lessThan": "81fd007dcd47c34471766249853e4d4bce8eea4b",
              "status": "affected",
              "version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
              "versionType": "git"
            },
            {
              "lessThan": "c20029db28399ecc50e556964eaba75c43b1e2f1",
              "status": "affected",
              "version": "cf9acc90c80ecbee00334aa85d92f4e74014bcff",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2128303bff700c857739a0af8cc39c1a41840650",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.323",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.323",
                  "versionStartIncluding": "4.19.218",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "5.4.162",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "5.10.82",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "5.15.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.256",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\n\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\n\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\n\nIPv4 SKB_GSO_UDP, gso_size=3, skb-\u003elen = 28.\n\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb-\u003elen\n\nThen the following sets gso_segs to 0 :\n\ngso_segs = DIV_ROUND_UP(skb-\u003elen - hdr_len,\n                        shinfo-\u003egso_size);\n\nThen later we set qdisc_skb_cb(skb)-\u003epkt_len to back to zero :/\n\nqdisc_skb_cb(skb)-\u003epkt_len += (gso_segs - 1) * hdr_len;\n\nThis leads to the following crash in fq_codel [1]\n\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\n\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n\n[1]\n[   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[   70.724561] #PF: supervisor read access in kernel mode\n[   70.724561] #PF: error_code(0x0000) - not-present page\n[   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 \u003c49\u003e 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n   0:\t24 08                \tand    $0x8,%al\n   2:\t49 c1 e1 06          \tshl    $0x6,%r9\n   6:\t44 89 7c 24 18       \tmov    %r15d,0x18(%rsp)\n   b:\t45 31 ed             \txor    %r13d,%r13d\n   e:\t45 31 c0             \txor    %r8d,%r8d\n  11:\t31 ff                \txor    %edi,%edi\n  13:\t89 44 24 14          \tmov    %eax,0x14(%rsp)\n  17:\t4c 03 8b 90 01 00 00 \tadd    0x190(%rbx),%r9\n  1e:\teb 04                \tjmp    0x24\n  20:\t39 ca                \tcmp    %ecx,%edx\n  22:\t73 37                \tjae    0x5b\n  24:\t4d 8b 39             \tmov    (%r9),%r15\n  27:\t83 c7 01             \tadd    $0x1,%edi\n  2a:*\t49 8b 17             \tmov    (%r15),%rdx\t\t\u003c-- trapping instruction\n  2d:\t49 89 11             \tmov    %rdx,(%r9)\n  30:\t41 8b 57 28          \tmov    0x28(%r15),%edx\n  34:\t45 8b 5f 34          \tmov    0x34(%r15),%r11d\n  38:\t49 c7 07 00 00 00 00 \tmovq   $0x0,(%r15)\n  3f:\t49                   \trex.WB\n\nCode starting with the faulting instruction\n===========================================\n   0:\t49 8b 17             \tmov    (%r15),%rdx\n   3:\t49 89 11             \tmov    %rdx,(%r9)\n   6:\t41 8b 57 28          \tmov    0x28(%r15),%edx\n   a:\t45 8b 5f 34          \tmov    0x34(%r15),%r11d\n   e:\t49 c7 07 00 00 00 00 \tmovq   $0x0,(%r15)\n  15:\t49                   \trex.WB\n[   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[   70.724561] CS:  0010 DS: 0000 ES: 0000 C\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:12.810Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72"
        },
        {
          "url": "https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c"
        },
        {
          "url": "https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174"
        },
        {
          "url": "https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac"
        },
        {
          "url": "https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1"
        }
      ],
      "title": "net: avoid potential underflow in qdisc_pkt_len_init() with UFO",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49949",
    "datePublished": "2024-10-21T18:02:05.756Z",
    "dateReserved": "2024-10-21T12:17:06.046Z",
    "dateUpdated": "2025-11-03T22:23:29.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:23:29.408Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49949\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:36:39.259120Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:36:43.167Z\"}}], \"cna\": {\"title\": \"net: avoid potential underflow in qdisc_pkt_len_init() with UFO\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"960b360ca7463921c1a6b72e7066a706d6406223\", \"lessThan\": \"d70ca7598943572d5e384227bd268acb5109bf72\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fb2dbc124a7f800cd0e4f901a1bbb769a017104c\", \"lessThan\": \"1598d70ad9c7d0a4d9d54b82094e9f45908fda6d\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772\", \"lessThan\": \"ba26060a29d3ca1bfc737aa79f7125128f35147c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3\", \"lessThan\": \"939c88cbdc668dadd8cfa7a35d9066331239041c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cf9acc90c80ecbee00334aa85d92f4e74014bcff\", \"lessThan\": \"d6114993e0a89fde84a60a60a8329a571580b174\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cf9acc90c80ecbee00334aa85d92f4e74014bcff\", \"lessThan\": \"25ab0b87dbd89cecef8a9c60a02bb97832e471d1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cf9acc90c80ecbee00334aa85d92f4e74014bcff\", \"lessThan\": \"f959cce8a2a04ce776aa8b78e83ce339e0d7fbac\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cf9acc90c80ecbee00334aa85d92f4e74014bcff\", \"lessThan\": \"81fd007dcd47c34471766249853e4d4bce8eea4b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"cf9acc90c80ecbee00334aa85d92f4e74014bcff\", \"lessThan\": \"c20029db28399ecc50e556964eaba75c43b1e2f1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"2128303bff700c857739a0af8cc39c1a41840650\", \"versionType\": \"git\"}], \"programFiles\": [\"net/core/dev.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.16\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.16\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.323\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.285\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.227\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.168\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.113\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.55\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/core/dev.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72\"}, {\"url\": \"https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d\"}, {\"url\": \"https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c\"}, {\"url\": \"https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c\"}, {\"url\": \"https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174\"}, {\"url\": \"https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1\"}, {\"url\": \"https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac\"}, {\"url\": \"https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b\"}, {\"url\": \"https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\\n\\nAfter commit 7c6d2ecbda83 (\\\"net: be more gentle about silly gso\\nrequests coming from user\\\") virtio_net_hdr_to_skb() had sanity check\\nto detect malicious attempts from user space to cook a bad GSO packet.\\n\\nThen commit cf9acc90c80ec (\\\"net: virtio_net_hdr_to_skb: count\\ntransport header in UFO\\\") while fixing one issue, allowed user space\\nto cook a GSO packet with the following characteristic :\\n\\nIPv4 SKB_GSO_UDP, gso_size=3, skb-\u003elen = 28.\\n\\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb-\u003elen\\n\\nThen the following sets gso_segs to 0 :\\n\\ngso_segs = DIV_ROUND_UP(skb-\u003elen - hdr_len,\\n                        shinfo-\u003egso_size);\\n\\nThen later we set qdisc_skb_cb(skb)-\u003epkt_len to back to zero :/\\n\\nqdisc_skb_cb(skb)-\u003epkt_len += (gso_segs - 1) * hdr_len;\\n\\nThis leads to the following crash in fq_codel [1]\\n\\nqdisc_pkt_len_init() is best effort, we only want an estimation\\nof the bytes sent on the wire, not crashing the kernel.\\n\\nThis patch is fixing this particular issue, a following one\\nadds more sanity checks for another potential bug.\\n\\n[1]\\n[   70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[   70.724561] #PF: supervisor read access in kernel mode\\n[   70.724561] #PF: error_code(0x0000) - not-present page\\n[   70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\\n[   70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\\n[   70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\\n[   70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\\n[   70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 \u003c49\u003e 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\\nAll code\\n========\\n   0:\\t24 08                \\tand    $0x8,%al\\n   2:\\t49 c1 e1 06          \\tshl    $0x6,%r9\\n   6:\\t44 89 7c 24 18       \\tmov    %r15d,0x18(%rsp)\\n   b:\\t45 31 ed             \\txor    %r13d,%r13d\\n   e:\\t45 31 c0             \\txor    %r8d,%r8d\\n  11:\\t31 ff                \\txor    %edi,%edi\\n  13:\\t89 44 24 14          \\tmov    %eax,0x14(%rsp)\\n  17:\\t4c 03 8b 90 01 00 00 \\tadd    0x190(%rbx),%r9\\n  1e:\\teb 04                \\tjmp    0x24\\n  20:\\t39 ca                \\tcmp    %ecx,%edx\\n  22:\\t73 37                \\tjae    0x5b\\n  24:\\t4d 8b 39             \\tmov    (%r9),%r15\\n  27:\\t83 c7 01             \\tadd    $0x1,%edi\\n  2a:*\\t49 8b 17             \\tmov    (%r15),%rdx\\t\\t\u003c-- trapping instruction\\n  2d:\\t49 89 11             \\tmov    %rdx,(%r9)\\n  30:\\t41 8b 57 28          \\tmov    0x28(%r15),%edx\\n  34:\\t45 8b 5f 34          \\tmov    0x34(%r15),%r11d\\n  38:\\t49 c7 07 00 00 00 00 \\tmovq   $0x0,(%r15)\\n  3f:\\t49                   \\trex.WB\\n\\nCode starting with the faulting instruction\\n===========================================\\n   0:\\t49 8b 17             \\tmov    (%r15),%rdx\\n   3:\\t49 89 11             \\tmov    %rdx,(%r9)\\n   6:\\t41 8b 57 28          \\tmov    0x28(%r15),%edx\\n   a:\\t45 8b 5f 34          \\tmov    0x34(%r15),%r11d\\n   e:\\t49 c7 07 00 00 00 00 \\tmovq   $0x0,(%r15)\\n  15:\\t49                   \\trex.WB\\n[   70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\\n[   70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\\n[   70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\\n[   70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\\n[   70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\\n[   70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\\n[   70.724561] FS:  000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\\n[   70.724561] CS:  0010 DS: 0000 ES: 0000 C\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.323\", \"versionStartIncluding\": \"4.19.218\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.285\", \"versionStartIncluding\": \"5.4.162\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.227\", \"versionStartIncluding\": \"5.10.82\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.168\", \"versionStartIncluding\": \"5.15.5\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.113\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.55\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.14\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11.3\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12\", \"versionStartIncluding\": \"5.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"4.14.256\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:59:12.810Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-49949\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T22:23:29.408Z\", \"dateReserved\": \"2024-10-21T12:17:06.046Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T18:02:05.756Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…