CVE-2024-35841

{"id": "CVE-2024-35841", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-17T15:15:21.160", "references": [{"url": "https://git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/02e368eb1444a4af649b73cbe2edd51780511d86", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/294e7ea85f34748f04e5f3f9dba6f6b911d31aa8", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/dc9dfc8dc629e42f2234e3327b75324ffc752bc9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls, fix WARNIING in __sk_msg_free\n\nA splice with MSG_SPLICE_PAGES will cause tls code to use the\ntls_sw_sendmsg_splice path in the TLS sendmsg code to move the user\nprovided pages from the msg into the msg_pl. This will loop over the\nmsg until msg_pl is full, checked by sk_msg_full(msg_pl). The user\ncan also set the MORE flag to hint stack to delay sending until receiving\nmore pages and ideally a full buffer.\n\nIf the user adds more pages to the msg than can fit in the msg_pl\nscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send\nthe buffer anyways.\n\nWhat actually happens though is we abort the msg to msg_pl scatterlist\nsetup and then because we forget to set 'full record' indicating we\ncan no longer consume data without a send we fallthrough to the 'continue'\npath which will check if msg_data_left(msg) has more bytes to send and\nthen attempts to fit them in the already full msg_pl. Then next\niteration of sender doing send will encounter a full msg_pl and throw\nthe warning in the syzbot report.\n\nTo fix simply check if we have a full_record in splice code path and\nif not send the msg regardless of MORE flag."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: tls, corrija la ADVERTENCIA en __sk_msg_free Un empalme con MSG_SPLICE_PAGES har\u00e1 que el c\u00f3digo tls use la ruta tls_sw_sendmsg_splice en el c\u00f3digo TLS sendmsg para mover las p\u00e1ginas proporcionadas por el usuario del msg al msg_pl . Esto recorrer\u00e1 el mensaje hasta que msg_pl est\u00e9 lleno, verificado por sk_msg_full(msg_pl). El usuario tambi\u00e9n puede configurar el indicador MORE para que la pila de sugerencias retrase el env\u00edo hasta recibir m\u00e1s p\u00e1ginas e idealmente un b\u00fafer completo. Si el usuario agrega m\u00e1s p\u00e1ginas al mensaje de las que caben en la lista de dispersi\u00f3n msg_pl (MAX_MSG_FRAGS), debemos ignorar el indicador M\u00c1S y enviar el b\u00fafer de todos modos. Sin embargo, lo que realmente sucede es que abortamos la configuraci\u00f3n de la lista de dispersi\u00f3n de msg a msg_pl y luego, como nos olvidamos de configurar el 'registro completo', lo que indica que ya no podemos consumir datos sin un env\u00edo, pasamos a la ruta 'continuar' que verificar\u00e1 si msg_data_left(msg) tiene m\u00e1s bytes para enviar y luego intenta incluirlos en el msg_pl que ya est\u00e1 completo. Luego, la pr\u00f3xima iteraci\u00f3n del remitente que realiza el env\u00edo encontrar\u00e1 un msg_pl completo y arrojar\u00e1 la advertencia en el informe syzbot. Para solucionarlo, simplemente verifique si tenemos un registro completo en la ruta del c\u00f3digo de empalme y, si no, env\u00ede el mensaje independientemente del indicador MORE."}], "lastModified": "2025-09-26T16:05:30.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EAB9BFC-2BA3-4C0F-ACA9-846474356E38", "versionEndExcluding": "6.6.14", "versionStartIncluding": "6.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7229C448-E0C9-488B-8939-36BA5254065E", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}