CVE-2024-46783 in Linuxinfo

Summary

by MITRE • 09/18/2024

In the Linux kernel, the following vulnerability has been resolved:

tcp_bpf: fix return value of tcp_bpf_sendmsg()

When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case:

468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES;

Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here.

------------[ cut here ]------------
kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline]
pc : sock_sendmsg_nosec net/socket.c:728 [inline]
pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline]
lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline]
__sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline]
__se_sys_sendmsg net/socket.c:2687 [inline]
__arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/06/2026

The vulnerability identified as CVE-2024-46783 resides within the Linux kernel's implementation of BPF (Berkeley Packet Filter) for TCP socket operations, specifically in the tcp_bpf_sendmsg function. This flaw manifests when handling corked messages within the psock->cork structure where the final message in a batch triggers a flush operation that sends a sk_msg larger than the current message size. The issue stems from improper handling of the copied variable within the tcp_bpf_send_verdict function, where a negative value can be assigned to copied due to arithmetic operations involving tosend and delta values.

The technical root cause occurs in the code path where the __SK_DROP case is executed, leading to a scenario where sk_msg_free_partial and sk_msg_apply_bytes functions are called followed by the problematic line *copied -= (tosend + delta); which can result in a negative value for copied. This negative return value is subsequently passed to the socket send messaging system, causing a kernel panic when the kernel attempts to process this invalid value in sock_sendmsg_nosec function at net/socket.c:733. The kernel BUG trace shows an internal error occurring at this specific location with an Oops condition indicating that the kernel cannot handle the negative copied value properly.

This vulnerability directly relates to CWE-129 and CWE-131 in the Common Weakness Enumeration, representing issues with improper input validation and incorrect handling of buffer sizes. The ATT&CK framework categorizes this under T1547.001 (Registry Run Keys/Startup Folder) and T1059.001 (Command and Scripting Interpreter) as potential attack vectors, though the primary concern is kernel-level exploitation. The operational impact includes system crashes and potential denial of service conditions, as the kernel enters an unrecoverable state when encountering the negative copied value. Systems running affected kernel versions are vulnerable to arbitrary code execution or system instability when BPF programs interact with TCP socket operations under specific conditions involving corked message handling.

The mitigation strategy involves applying the kernel patch that corrects the return value handling in tcp_bpf_sendmsg by ensuring that negative values are not used as return codes, and that proper bounds checking is implemented when modifying the copied variable. Organizations should prioritize updating to kernel versions containing the fix, particularly those using BPF programs with TCP socket operations or systems that may be exposed to malicious BPF program execution. Additionally, monitoring for kernel panic events and implementing proper kernel version management practices can help detect and prevent exploitation of this vulnerability in production environments.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/18/2024

Moderation

accepted

CPE

ready

EPSS

0.00229

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!