{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-46783","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-09-11T15:12:18.276Z","datePublished":"2024-09-18T07:12:39.573Z","dateUpdated":"2025-11-03T22:18:29.717Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:34:12.222Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: fix return value of tcp_bpf_sendmsg()\n\nWhen we cork messages in psock->cork, the last message triggers the\nflushing will result in sending a sk_msg larger than the current\nmessage size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes\nnegative at least in the following case:\n\n468 case __SK_DROP:\n469 default:\n470 sk_msg_free_partial(sk, msg, tosend);\n471 sk_msg_apply_bytes(psock, tosend);\n472 *copied -= (tosend + delta); // <==== HERE\n473 return -EACCES;\n\nTherefore, it could lead to the following BUG with a proper value of\n'copied' (thanks to syzbot). We should not use negative 'copied' as a\nreturn value here.\n\n ------------[ cut here ]------------\n kernel BUG at net/socket.c:733!\n Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0\n Hardware name: linux,dummy-virt (DT)\n pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : sock_sendmsg_nosec net/socket.c:733 [inline]\n pc : sock_sendmsg_nosec net/socket.c:728 [inline]\n pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745\n lr : sock_sendmsg_nosec net/socket.c:730 [inline]\n lr : __sock_sendmsg+0x54/0x60 net/socket.c:745\n sp : ffff800088ea3b30\n x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000\n x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000\n x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90\n x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001\n x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0\n x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000\n x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef\n Call trace:\n sock_sendmsg_nosec net/socket.c:733 [inline]\n __sock_sendmsg+0x5c/0x60 net/socket.c:745\n ____sys_sendmsg+0x274/0x2ac net/socket.c:2597\n ___sys_sendmsg+0xac/0x100 net/socket.c:2651\n __sys_sendmsg+0x84/0xe0 net/socket.c:2680\n __do_sys_sendmsg net/socket.c:2689 [inline]\n __se_sys_sendmsg net/socket.c:2687 [inline]\n __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49\n el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151\n el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598\n Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)\n ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_bpf.c"],"versions":[{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"6f9fdf5806cced888c43512bccbdf7fefd50f510","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"3efe53eb221a38e207c1e3f81c51e4ca057d50c2","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"78bb38d9c5a311c5f8bdef7c9557d7d81ca30e4a","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"810a4e7d92dea4074cb04c25758320909d752193","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"c8219a27fa43a2cbf99f5176f6dddfe73e7a24ae","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"126d72b726c4cf1119f3a7fe413a78d341c3fea9","status":"affected","versionType":"git"},{"version":"4f738adba30a7cfc006f605707e7aee847ffefa0","lessThan":"fe1910f9337bd46a9343967b547ccab26b4b2c6e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_bpf.c"],"versions":[{"version":"4.17","status":"affected"},{"version":"0","lessThan":"4.17","status":"unaffected","versionType":"semver"},{"version":"5.4.284","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.226","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.167","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.110","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.51","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.10.10","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.4.284"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.10.226"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.15.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.1.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.6.51"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.10.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6f9fdf5806cced888c43512bccbdf7fefd50f510"},{"url":"https://git.kernel.org/stable/c/3efe53eb221a38e207c1e3f81c51e4ca057d50c2"},{"url":"https://git.kernel.org/stable/c/78bb38d9c5a311c5f8bdef7c9557d7d81ca30e4a"},{"url":"https://git.kernel.org/stable/c/810a4e7d92dea4074cb04c25758320909d752193"},{"url":"https://git.kernel.org/stable/c/c8219a27fa43a2cbf99f5176f6dddfe73e7a24ae"},{"url":"https://git.kernel.org/stable/c/126d72b726c4cf1119f3a7fe413a78d341c3fea9"},{"url":"https://git.kernel.org/stable/c/fe1910f9337bd46a9343967b547ccab26b4b2c6e"}],"title":"tcp_bpf: fix return value of tcp_bpf_sendmsg()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-29T14:29:59.160997Z","id":"CVE-2024-46783","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-29T14:30:13.589Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:18:29.717Z"}}]}}