CVE-2024-40937 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: gve: Clear napi->skb before dev_kfree_skb_any() gve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it is freed with dev_kfree_skb_any(). This can result in a subsequent call to napi_get_frags returning a dangling pointer. Fix this by clearing napi->skb before the skb is freed.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037
https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e
https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc
https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50
https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442
https://lore.kernel.org/linux-cve-announce/2024071217-CVE-2024-40937-fecf@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-40937
https://www.cve.org/CVERecord?id=CVE-2024-40937

History

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 14 Aug 2024 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-07-12T12:25:13.807Z

Updated: 2024-11-05T09:33:31.418Z

Reserved: 2024-07-12T12:17:45.584Z

Link: CVE-2024-40937

Vulnrichment

Updated: 2024-09-11T12:42:22.811Z

NVD

Status : Awaiting Analysis

Published: 2024-07-12T13:15:16.187

Modified: 2024-07-12T16:34:58.687

Link: CVE-2024-40937

Redhat

Severity : Moderate

Publid Date: 2024-07-12T00:00:00Z

Links: CVE-2024-40937 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40937", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.584Z", "datePublished": "2024-07-12T12:25:13.807Z", "dateUpdated": "2024-11-05T09:33:31.418Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:33:31.418Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_rx_dqo.c"], "versions": [{"version": "9b8dd5e5ea48", "lessThan": "75afd8724739", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "d22128499111", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "2ce5341c3699", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "a68184d5b420", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "6f4d93b78ade", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_rx_dqo.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc"}, {"url": "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442"}, {"url": "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037"}, {"url": "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50"}, {"url": "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e"}], "title": "gve: Clear napi->skb before dev_kfree_skb_any()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.542Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:04:39.753649Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:26.574Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40937", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.584Z", "datePublished": "2024-07-12T12:25:13.807Z", "dateUpdated": "2024-08-02T04:39:55.542Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:48.895Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Clear napi->skb before dev_kfree_skb_any()\n\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\n\nFix this by clearing napi->skb before the skb is freed."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_rx_dqo.c"], "versions": [{"version": "9b8dd5e5ea48", "lessThan": "75afd8724739", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "d22128499111", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "2ce5341c3699", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "a68184d5b420", "status": "affected", "versionType": "git"}, {"version": "9b8dd5e5ea48", "lessThan": "6f4d93b78ade", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/google/gve/gve_rx_dqo.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/75afd8724739ee5ed8165acde5f6ac3988b485cc"}, {"url": "https://git.kernel.org/stable/c/d221284991118c0ab16480b53baecd857c0bc442"}, {"url": "https://git.kernel.org/stable/c/2ce5341c36993b776012601921d7688693f8c037"}, {"url": "https://git.kernel.org/stable/c/a68184d5b420ea4fc7e6b7ceb52bbc66f90d3c50"}, {"url": "https://git.kernel.org/stable/c/6f4d93b78ade0a4c2cafd587f7b429ce95abb02e"}], "title": "gve: Clear napi->skb before dev_kfree_skb_any()", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:04:39.753649Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-09-11T12:42:22.811Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"bugzilla": {"description": "kernel: gve: Clear napi->skb before dev_kfree_skb_any()", "id": "2297521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297521"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ngve: Clear napi->skb before dev_kfree_skb_any()\ngve_rx_free_skb incorrectly leaves napi->skb referencing an skb after it\nis freed with dev_kfree_skb_any(). This can result in a subsequent call\nto napi_get_frags returning a dangling pointer.\nFix this by clearing napi->skb before the skb is freed."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40937", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40937\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40937\nhttps://lore.kernel.org/linux-cve-announce/2024071217-CVE-2024-40937-fecf@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.162, kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc4"}