Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-35969

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
20/05/2024
Last modified:
04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr<br /> <br /> Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it<br /> still means hlist_for_each_entry_rcu can return an item that got removed<br /> from the list. The memory itself of such item is not freed thanks to RCU<br /> but nothing guarantees the actual content of the memory is sane.<br /> <br /> In particular, the reference count can be zero. This can happen if<br /> ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry<br /> from inet6_addr_lst (hlist_del_init_rcu(&amp;ifp-&gt;addr_lst)) and drops all<br /> references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough<br /> timing, this can happen:<br /> <br /> 1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.<br /> <br /> 2. Then, the whole ipv6_del_addr is executed for the given entry. The<br /> reference count drops to zero and kfree_rcu is scheduled.<br /> <br /> 3. ipv6_get_ifaddr continues and tries to increments the reference count<br /> (in6_ifa_hold).<br /> <br /> 4. The rcu is unlocked and the entry is freed.<br /> <br /> 5. The freed entry is returned.<br /> <br /> Prevent increasing of the reference count in such case. The name<br /> in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.<br /> <br /> [ 41.506330] refcount_t: addition on 0; use-after-free.<br /> [ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130<br /> [ 41.507413] Modules linked in: veth bridge stp llc<br /> [ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14<br /> [ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> [ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130<br /> [ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff<br /> [ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282<br /> [ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000<br /> [ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900<br /> [ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff<br /> [ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000<br /> [ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48<br /> [ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000<br /> [ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0<br /> [ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 41.516799] Call Trace:<br /> [ 41.517037] <br /> [ 41.517249] ? __warn+0x7b/0x120<br /> [ 41.517535] ? refcount_warn_saturate+0xa5/0x130<br /> [ 41.517923] ? report_bug+0x164/0x190<br /> [ 41.518240] ? handle_bug+0x3d/0x70<br /> [ 41.518541] ? exc_invalid_op+0x17/0x70<br /> [ 41.520972] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 41.521325] ? refcount_warn_saturate+0xa5/0x130<br /> [ 41.521708] ipv6_get_ifaddr+0xda/0xe0<br /> [ 41.522035] inet6_rtm_getaddr+0x342/0x3f0<br /> [ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10<br /> [ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0<br /> [ 41.523102] ? netlink_unicast+0x30f/0x390<br /> [ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10<br /> [ 41.523832] netlink_rcv_skb+0x53/0x100<br /> [ 41.524157] netlink_unicast+0x23b/0x390<br /> [ 41.524484] netlink_sendmsg+0x1f2/0x440<br /> [ 41.524826] __sys_sendto+0x1d8/0x1f0<br /> [ 41.525145] __x64_sys_sendto+0x1f/0x30<br /> [ 41.525467] do_syscall_64+0xa5/0x1b0<br /> [ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a<br /> [ 41.526213] RIP: 0033:0x7fbc4cfcea9a<br /> [ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89<br /> [ 41.527942] RSP: 002b:00007f<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.35 (including) 4.19.313 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.275 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.216 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.156 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.87 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.28 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.8.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools