{"id":"CVE-2024-36905","summary":"tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets\n\nTCP_SYN_RECV state is really special, it is only used by\ncross-syn connections, mostly used by fuzzers.\n\nIn the following crash [1], syzbot managed to trigger a divide\nby zero in tcp_rcv_space_adjust()\n\nA socket makes the following state transitions,\nwithout ever calling tcp_init_transfer(),\nmeaning tcp_init_buffer_space() is also not called.\n\n         TCP_CLOSE\nconnect()\n         TCP_SYN_SENT\n         TCP_SYN_RECV\nshutdown() -\u003e tcp_shutdown(sk, SEND_SHUTDOWN)\n         TCP_FIN_WAIT1\n\nTo fix this issue, change tcp_shutdown() to not\nperform a TCP_SYN_RECV -\u003e TCP_FIN_WAIT1 transition,\nwhich makes no sense anyway.\n\nWhen tcp_rcv_state_process() later changes socket state\nfrom TCP_SYN_RECV to TCP_ESTABLISH, then look at\nsk-\u003esk_shutdown to finally enter TCP_FIN_WAIT1 state,\nand send a FIN packet from a sane socket state.\n\nThis means tcp_send_fin() can now be called from BH\ncontext, and must use GFP_ATOMIC allocations.\n\n[1]\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767\nCode: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 \u003c48\u003e f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48\nRSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246\nRAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7\nR10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30\nR13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da\nFS:  00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n  tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513\n  tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578\n  inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680\n  sock_recvmsg_nosec net/socket.c:1046 [inline]\n  sock_recvmsg+0x109/0x280 net/socket.c:1068\n  ____sys_recvmsg+0x1db/0x470 net/socket.c:2803\n  ___sys_recvmsg net/socket.c:2845 [inline]\n  do_recvmmsg+0x474/0xae0 net/socket.c:2939\n  __sys_recvmmsg net/socket.c:3018 [inline]\n  __do_sys_recvmmsg net/socket.c:3041 [inline]\n  __se_sys_recvmmsg net/socket.c:3034 [inline]\n  __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7faeb6363db9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9\nRDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c\nR10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001","modified":"2026-03-20T12:36:50.760238Z","published":"2024-05-30T15:29:06.046Z","related":["MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4367-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36905.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/29/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/10/30/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/11/12/4"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/11/12/5"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/11/12/6"},{"type":"WEB","url":"https://access.redhat.com/security/cve/cve-2024-36905"},{"type":"WEB","url":"https://alas.aws.amazon.com/cve/html/CVE-2024-36905.html"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2552c9d9440f8e7a2ed0660911ff00f25b90a0a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/34e41a031fd7523bf1cd00a2adca2370aebea270"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3fe4ef0568a48369b1891395d13ac593b1ba41b1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/413c33b9f3bc36fdf719690a78824db9f88a9485"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94062790aedb505bdda209b10bea47b294d6394f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cbf232ba11bc86a5281b4f00e1151349ef4d45cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed5e279b69e007ce6c0fe82a5a534c1b19783214"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f47d0d32fa94e815fdd78b8b88684873e67939f4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/10/29/1"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2024/11/12/4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36905.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36905"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240905-0005/"},{"type":"REPORT","url":"https://github.com/cisagov/vulnrichment/issues/130"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"34e41a031fd7523bf1cd00a2adca2370aebea270"},{"fixed":"ed5e279b69e007ce6c0fe82a5a534c1b19783214"},{"fixed":"413c33b9f3bc36fdf719690a78824db9f88a9485"},{"fixed":"2552c9d9440f8e7a2ed0660911ff00f25b90a0a4"},{"fixed":"3fe4ef0568a48369b1891395d13ac593b1ba41b1"},{"fixed":"f47d0d32fa94e815fdd78b8b88684873e67939f4"},{"fixed":"cbf232ba11bc86a5281b4f00e1151349ef4d45cf"},{"fixed":"94062790aedb505bdda209b10bea47b294d6394f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36905.json"}}],"schema_version":"1.7.5"}