{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-41048","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.625Z","datePublished":"2024-07-29T14:32:05.224Z","dateUpdated":"2025-11-03T21:59:48.428Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:20:54.907Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n  [...]\n  Oops[#1]:\n  CPU: 22 PID: 2824 Comm: test_progs Tainted: G           OE  6.10.0-rc2+ #18\n  Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n     ... ...\n     ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n    ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n   PRMD: 0000000c (PPLV0 +PIE +PWE)\n   EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n  ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n   BADV: 0000000000000040\n   PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n  Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n  Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n  Stack : ...\n  Call Trace:\n  [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n  [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n  [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n  [<90000000049aae34>] inet_recvmsg+0x54/0x100\n  [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n  [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n  [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n  [<9000000004c076ec>] do_syscall+0x8c/0xc0\n  [<9000000003731da4>] handle_syscall+0xc4/0x160\n  Code: ...\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: Fatal exception\n  Kernel relocated by 0x3510000\n   .text @ 0x9000000003710000\n   .data @ 0x9000000004d70000\n   .bss  @ 0x9000000006469400\n  ---[ end Kernel panic - not syncing: Fatal exception ]---\n  [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"fb61d7b9fb6ef0032de469499a54dab4c7260d0d","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"b180739b45a38b4caa88fe16bb5273072e6613dc","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"f8bd689f37f4198a4c61c4684f591ba639595b97","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"f0c18025693707ec344a70b6887f7450bf4c826b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.15.163","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.100","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.41","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.10","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.163"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.1.100"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.6.41"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.9.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632"},{"url":"https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d"},{"url":"https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc"},{"url":"https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97"},{"url":"https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b"}],"title":"skmsg: Skip zero length skb in sk_msg_recvmsg","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T21:59:48.428Z"}},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-41048","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:22:50.876207Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:02.036Z"}}]}}