cve/2024/CVE-2024-35841.md

### [CVE-2024-35841](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35841)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=fe1e81d4f73b%3C%2002e368eb1444%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:net: tls, fix WARNIING in __sk_msg_freeA splice with MSG_SPLICE_PAGES will cause tls code to use thetls_sw_sendmsg_splice path in the TLS sendmsg code to move the userprovided pages from the msg into the msg_pl. This will loop over themsg until msg_pl is full, checked by sk_msg_full(msg_pl). The usercan also set the MORE flag to hint stack to delay sending until receivingmore pages and ideally a full buffer.If the user adds more pages to the msg than can fit in the msg_plscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and sendthe buffer anyways.What actually happens though is we abort the msg to msg_pl scatterlistsetup and then because we forget to set 'full record' indicating wecan no longer consume data without a send we fallthrough to the 'continue'path which will check if msg_data_left(msg) has more bytes to send andthen attempts to fit them in the already full msg_pl. Then nextiteration of sender doing send will encounter a full msg_pl and throwthe warning in the syzbot report.To fix simply check if we have a full_record in splice code path andif not send the msg regardless of MORE flag.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2024-35841](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35841)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=fe1e81d4f73b%3C%2002e368eb1444%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:net: tls, fix WARNIING in __sk_msg_freeA splice with MSG_SPLICE_PAGES will cause tls code to use thetls_sw_sendmsg_splice path in the TLS sendmsg code to move the userprovided pages from the msg into the msg_pl. This will loop over themsg until msg_pl is full, checked by sk_msg_full(msg_pl). The usercan also set the MORE flag to hint stack to delay sending until receivingmore pages and ideally a full buffer.If the user adds more pages to the msg than can fit in the msg_plscatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and sendthe buffer anyways.What actually happens though is we abort the msg to msg_pl scatterlistsetup and then because we forget to set 'full record' indicating wecan no longer consume data without a send we fallthrough to the 'continue'path which will check if msg_data_left(msg) has more bytes to send andthen attempts to fit them in the already full msg_pl. Then nextiteration of sender doing send will encounter a full msg_pl and throwthe warning in the syzbot report.To fix simply check if we have a full_record in splice code path andif not send the msg regardless of MORE flag.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`