CVE-2024-57843

{"id": "CVE-2024-57843", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-11T15:15:07.170", "references": [{"url": "https://git.kernel.org/stable/c/67a11de8965c2ab19e215fb6651d44847e068614", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6aacd1484468361d1d04badfe75f264fa5314864", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a8f7d6963768b114ec9644ff0148dde4c104e84b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix overflow inside virtnet_rq_alloc\n\nWhen the frag just got a page, then may lead to regression on VM.\nSpecially if the sysctl net.core.high_order_alloc_disable value is 1,\nthen the frag always get a page when do refill.\n\nWhich could see reliable crashes or scp failure (scp a file 100M in size\nto VM).\n\nThe issue is that the virtnet_rq_dma takes up 16 bytes at the beginning\nof a new frag. When the frag size is larger than PAGE_SIZE,\neverything is fine. However, if the frag is only one page and the\ntotal size of the buffer and virtnet_rq_dma is larger than one page, an\noverflow may occur.\n\nThe commit f9dac92ba908 (\"virtio_ring: enable premapped mode whatever\nuse_dma_api\") introduced this problem. And we reverted some commits to\nfix this in last linux version. Now we try to enable it and fix this\nbug directly.\n\nHere, when the frag size is not enough, we reduce the buffer len to fix\nthis problem."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio-net: se corrige el desbordamiento dentro de virtnet_rq_alloc Cuando el fragmento acaba de obtener una p\u00e1gina, puede provocar una regresi\u00f3n en la m\u00e1quina virtual. Especialmente si el valor de sysctl net.core.high_order_alloc_disable es 1, entonces el fragmento siempre obtiene una p\u00e1gina cuando se rellena. Lo que podr\u00eda provocar fallos fiables o fallos de SCP (enviar un archivo de 100 M de tama\u00f1o a la m\u00e1quina virtual). El problema es que virtnet_rq_dma ocupa 16 bytes al principio de un nuevo fragmento. Cuando el tama\u00f1o del fragmento es mayor que PAGE_SIZE, todo est\u00e1 bien. Sin embargo, si el fragmento es solo una p\u00e1gina y el tama\u00f1o total del b\u00fafer y virtnet_rq_dma es mayor que una p\u00e1gina, puede producirse un desbordamiento. El commit f9dac92ba908 (\"virtio_ring: habilitar el modo premapeado sea cual sea el uso de_dma_api\") introdujo este problema. Y revertimos algunas confirmaciones para solucionar este problema en la \u00faltima versi\u00f3n de Linux. Ahora intentamos habilitarlo y solucionar este error directamente. Aqu\u00ed, cuando el tama\u00f1o del fragmento no es suficiente, reducimos la longitud del b\u00fafer para solucionar este problema."}], "lastModified": "2025-09-24T18:41:29.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90A079EF-8212-45DF-84FB-C525A64635B0", "versionEndExcluding": "6.6.66"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9501D045-7A94-42CA-8B03-821BE94A65B7", "versionEndExcluding": "6.12.5", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}