/sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: write error: Invalid argument [0]: UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xc0/0x240 net/socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9c8/0x2540 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 Code: Unable to access opcode bytes at 0x7f6c2b50058c. RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 "> ,/sys/module/tcp_dctcp/parameters/dctcp_shift_g,#,cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g,10,#,echo,11,> /sys/module/tcp_dctcp/parameters/dctcp_shift_g,-bash:,echo:,write error:,Invalid,argument,[0]:,UBSAN:,shift-out-of-bounds,in net/ipv4/tcp_dctcp.c:143:12,shift,exponent,100,is,too,large,for,32-bit type,'u32',(aka,'unsigned,int'),CPU:,0,PID:,8083,Comm:,syz-executor345 Not,tainted,6.9.0-05151-g1b294a1f3561,#2,Hardware,name:,QEMU,Standard PC,(i440FX,+,PIIX,,1996),,BIOS,1.13.0-1ubuntu1.1,04/01/2014,Call Trace:,,__dump_stack,lib/dump_stack.c:88,[inline] dump_stack_lvl+0x201/0x300,lib/dump_stack.c:114,ubsan_epilogue lib/ubsan.c:231,[inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0,lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570,net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event,net/ipv4/tcp_input.c:3802,[inline] tcp_ack+0x17b1/0x3bc0,net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290,net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40,net/ipv4/tcp_ipv4.c:1937,sk_backlog_rcv include/net/sock.h:1106,[inline],__release_sock+0x20f/0x350 net/core/sock.c:2983,release_sock+0x61/0x1f0,net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620,net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410,net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0,net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0,net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0,net/ipv4/af_inet.c:437,__sock_release net/socket.c:659,[inline],sock_close+0xc0/0x240,net/socket.c:1421 __fput+0x41b/0x890,fs/file_table.c:422,task_work_run+0x23b/0x300 kernel/task_work.c:180,exit_task_work,include/linux/task_work.h:38 [inline],do_exit+0x9c8/0x2540,kernel/exit.c:878 do_group_exit+0x201/0x2b0,kernel/exit.c:1027,__do_sys_exit_group kernel/exit.c:1038,[inline],__se_sys_exit_group,kernel/exit.c:1036 [inline],__x64_sys_exit_group+0x3f/0x40,kernel/exit.c:1036 do_syscall_x64,arch/x86/entry/common.c:52,[inline] do_syscall_64+0xe4/0x240,arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f,RIP:,0033:0x7f6c2b5005b6 Code:,Unable,to,access,opcode,bytes,at,0x7f6c2b50058c.,RSP: 002b:00007ffe883eb948,EFLAGS:,00000246,ORIG_RAX:,00000000000000e7,RAX: ffffffffffffffda,RBX:,00007f6c2b5862f0,RCX:,00007f6c2b5005b6,RDX: 0000000000000001,RSI:,000000000000003c,RDI:,0000000000000001,RBP: 0000000000000001,R08:,00000000000000e7,R09:,ffffffffffffffc0,R10: 0000000000000006,R11:,0000000000000246,R12:,00007f6c2b5862f0,R13: 0000000000000001,R14:,0000000000000000,R15:,0000000000000001, "> SecuritySpace - CVE-2024-37356
 
English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

CVE ID:CVE-2024-37356
Description:In the Linux kernel, the following vulnerability has been resolved: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). In dctcp_update_alpha(), we use a module parameter dctcp_shift_g as follows: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); ... delivered_ce <<= (10 - dctcp_shift_g); It seems syzkaller started fuzzing module parameters and triggered shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: memcpy((void*)0x20000080, "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/2ul, /*mode=*/0ul); memcpy((void*)0x20000000, "100\000", 4); syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). With this patch: # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: write error: Invalid argument [0]: UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xc0/0x240 net/socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9c8/0x2540 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 Code: Unable to access opcode bytes at 0x7f6c2b50058c. RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Test IDs: None available
Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2024-37356
https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c
https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6
https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd
https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66
https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66
https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf
https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a
https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be
https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31
https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31



© 1998-2025 E-Soft Inc. All rights reserved.