CVE-2024-57791 Overview
CVE-2024-57791 is a Linux kernel vulnerability in the Shared Memory Communications (SMC) networking subsystem. The flaw resides in the smc_clc_wait_msg function within net/smc, where the kernel processes Connection Layer Control (CLC) messages received from the network. The length field in smc_clc_msg_hdr is taken from untrusted network input. When that length exceeds the local buflen, the draining loop fails to validate the return value of sock_recvmsg, allowing the kernel to enter an infinite loop while attempting to drain remaining data. The result is a remote, unauthenticated denial-of-service condition against hosts using SMC sockets.
Critical Impact
A remote attacker can send a crafted CLC header with an oversized length field, triggering an infinite loop in the kernel and rendering the SMC service unresponsive.
Affected Products
- Linux kernel versions from 5.8 through releases prior to the patched stable updates
- Linux kernel 6.13 release candidates (rc1, rc2, rc3)
- Debian distributions tracking affected stable kernel branches
Discovery Timeline
- 2025-01-11 - CVE-2024-57791 published to the National Vulnerability Database
- 2025-03 - Debian LTS security announcements published
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-57791
Vulnerability Analysis
The vulnerability affects the SMC protocol implementation in the Linux kernel. SMC is a high-performance protocol used over RDMA and ISM devices, with CLC messages handling the initial handshake. During this handshake, smc_clc_wait_msg reads a header containing a length field that describes how many bytes should follow.
When the advertised length exceeds the size of the local buffer (buflen), the kernel attempts to drain the excess bytes from the socket to keep the stream synchronized. The original draining loop did not inspect the return value of sock_recvmsg. If sock_recvmsg returned zero or a negative error, the loop counter was not advanced, producing an infinite loop inside kernel context.
The upstream fix adds a check on the return value of sock_recvmsg and aborts the drain when the call fails, breaking the loop and returning an error to the caller.
Root Cause
The root cause is missing error-handling on a function return value [CWE-NVD-noinfo]. Specifically, the drain loop trusted attacker-controlled length data and assumed sock_recvmsg would always make forward progress. When the peer closed the connection or sent malformed data, the function returned without consuming bytes, leaving the loop unable to terminate.
Attack Vector
An attacker with network reachability to an SMC-enabled host establishes a connection and sends a CLC handshake message. The crafted header advertises a length larger than the receiver's internal buffer. The receiver enters the draining path, where the unchecked sock_recvmsg return value traps a kernel thread in an infinite loop. No authentication or user interaction is required.
The vulnerability is described in prose rather than code because no verified public proof-of-concept is available. The corrective patches are published in the upstream stable trees at commits 6b80924a, 7a692781, 82c7ad9c, c5b8ee50, d7d1f986, and df3dfe1a.
Detection Methods for CVE-2024-57791
Indicators of Compromise
- Kernel threads stuck at 100% CPU utilization within the smc_clc_wait_msg call path
- Soft lockup or RCU stall warnings in dmesg referencing the net/smc subsystem
- Sudden unresponsiveness of SMC-based services with no corresponding application crash
- Unexpected inbound TCP connections to SMC handshake ports from unknown sources
Detection Strategies
- Monitor kernel logs for BUG: soft lockup or rcu_sched self-detected stall messages tied to SMC functions
- Audit running kernel versions against the patched stable releases referenced in the kernel.org commits
- Inspect host telemetry for sustained kernel-mode CPU spikes on systems configured with the smc module loaded
Monitoring Recommendations
- Track lsmod output for the smc module and inventory hosts where SMC is enabled
- Forward kernel ring buffer events into a centralized logging pipeline for stall and lockup detection
- Alert on abnormal connection patterns targeting hosts that expose SMC over the network
How to Mitigate CVE-2024-57791
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the kernel.org stable commits for your kernel branch
- For Debian systems, install the updates from the Debian LTS announcement (March 2025)
- Identify hosts using SMC and prioritize patching for any internet-facing systems
Patch Information
The fix is committed across multiple stable branches. Reference commits include 6b80924af621, 7a6927814b42, 82c7ad9ca099, c5b8ee5022a1, d7d1f986ebb2, and df3dfe1a93c6. Each patch adds a return-value check on sock_recvmsg inside the CLC drain path so the loop terminates when the socket read fails.
Workarounds
- Unload the smc kernel module on hosts that do not require Shared Memory Communications: modprobe -r smc
- Blacklist the module to prevent automatic loading by adding blacklist smc to /etc/modprobe.d/
- Restrict network exposure of SMC services through host firewall rules until patches are deployed
# Disable the SMC module to mitigate exposure until patching
sudo modprobe -r smc
echo "blacklist smc" | sudo tee /etc/modprobe.d/disable-smc.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
