CVE-2024-49979 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix tcp fraglist segmentation after pull from frag_list

Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly.

Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size

Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants.

In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at tcp_hdr(seg->next).

Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment.

Approach and description based on a patch by Willem de Bruijn.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/25/2026

The vulnerability CVE-2024-49979 addresses a critical flaw in the Linux kernel's network stack that specifically impacts TCP Generic Segmentation Offload (GSO) functionality. This issue manifests when processing TCP GSO fraglist skbs that have been modified by optional datapath hooks such as Network Address Translation (NAT) or Berkeley Packet Filter (BPF) operations. The problem occurs during the skb_segment_list function processing where the kernel attempts to handle fragmented TCP packets that have been altered through data pulling operations, leading to potential system instability and security implications.

The technical flaw stems from the kernel's inability to properly handle SKB_GSO_FRAGLIST skbs that have corrupted geometric properties due to modifications by optional network hooks. Valid fraglist skbs must maintain specific invariants: they should consist of two or more segments where the head_skb contains protocol headers plus the first gso_size bytes, while frag_list skbs should hold exactly one segment each. However, when operations like bpf_skb_pull_data or NAT modify these skbs, they can break these essential invariants. When these modified skbs are processed, the system may pull all data into the linear portion of the skb, which causes a NULL pointer dereference in the __tcpv4_gso_segment_list_csum function at tcp_hdr(seg->next) during TCP header processing.

The operational impact of this vulnerability is significant as it can lead to kernel panics, system crashes, and potential denial of service conditions when handling network traffic containing modified GSO fraglist skbs. The vulnerability affects TCP packet processing specifically when optional datapath hooks are present, making it particularly dangerous in environments where NAT or BPF operations are commonly used for network filtering, traffic manipulation, or security enforcement. This flaw represents a direct violation of the kernel's memory safety mechanisms and can be exploited to cause system instability. The issue is classified under CWE-476 which deals with NULL pointer dereferences, and aligns with ATT&CK technique T1059.001 for system compromise through kernel-level vulnerabilities.

The resolution implemented in this fix involves detecting invalid geometry in fraglist skbs that have been modified by pulling operations, rather than simply dropping these packets which could result in blackholing network traffic. Instead, the kernel now converts these problematic skbs into a format that can be properly handled by the regular skb_segment function, which has the capability to segment them correctly. This approach ensures network continuity while maintaining system stability, as outlined in the patch contributed by Willem de Bruijn. The fix specifically targets the detection of head_skb size anomalies that indicate corrupted fraglist geometry, providing a more robust handling mechanism that prevents the NULL pointer dereference while preserving network functionality and preventing potential traffic loss scenarios that could occur with simple packet dropping approaches.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00229

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!