CVE-2024-36286
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/06/2024
Last modified:
07/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()<br />
<br />
syzbot reported that nf_reinject() could be called without rcu_read_lock() :<br />
<br />
WARNING: suspicious RCU usage<br />
6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted<br />
<br />
net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!<br />
<br />
other info that might help us debug this:<br />
<br />
rcu_scheduler_active = 2, debug_locks = 1<br />
2 locks held by syz-executor.4/13427:<br />
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]<br />
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]<br />
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471<br />
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]<br />
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]<br />
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172<br />
<br />
stack backtrace:<br />
CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114<br />
lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712<br />
nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]<br />
nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397<br />
nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]<br />
instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172<br />
rcu_do_batch kernel/rcu/tree.c:2196 [inline]<br />
rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471<br />
handle_softirqs+0x2d6/0x990 kernel/softirq.c:554<br />
__do_softirq kernel/softirq.c:588 [inline]<br />
invoke_softirq kernel/softirq.c:428 [inline]<br />
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637<br />
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649<br />
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]<br />
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043<br />
<br />
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.25 (including) | 4.19.316 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.278 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.219 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.161 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.93 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.33 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.4 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a
- https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4
- https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256
- https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5
- https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9
- https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718
- https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec
- https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab
- https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a
- https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4
- https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256
- https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5
- https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9
- https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718
- https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec
- https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab