Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-46763

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
18/09/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fou: Fix null-ptr-deref in GRO.<br /> <br /> We observed a null-ptr-deref in fou_gro_receive() while shutting down<br /> a host. [0]<br /> <br /> The NULL pointer is sk-&gt;sk_user_data, and the offset 8 is of protocol<br /> in struct fou.<br /> <br /> When fou_release() is called due to netns dismantle or explicit tunnel<br /> teardown, udp_tunnel_sock_release() sets NULL to sk-&gt;sk_user_data.<br /> Then, the tunnel socket is destroyed after a single RCU grace period.<br /> <br /> So, in-flight udp4_gro_receive() could find the socket and execute the<br /> FOU GRO handler, where sk-&gt;sk_user_data could be NULL.<br /> <br /> Let&amp;#39;s use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL<br /> checks in FOU GRO handlers.<br /> <br /> [0]:<br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0<br /> SMP PTI<br /> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1<br /> Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017<br /> RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]<br /> Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42<br /> RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297<br /> RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010<br /> RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08<br /> RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002<br /> R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400<br /> R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0<br /> FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)<br /> ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)<br /> ? no_context (arch/x86/mm/fault.c:752)<br /> ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)<br /> ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)<br /> ? fou_gro_receive (net/ipv4/fou.c:233) [fou]<br /> udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)<br /> udp4_gro_receive (net/ipv4/udp_offload.c:604)<br /> inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))<br /> dev_gro_receive (net/core/dev.c:6035 (discriminator 4))<br /> napi_gro_receive (net/core/dev.c:6170)<br /> ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]<br /> ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]<br /> napi_poll (net/core/dev.c:6847)<br /> net_rx_action (net/core/dev.c:6917)<br /> __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)<br /> asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)<br /> <br /> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)<br /> irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)<br /> common_interrupt (arch/x86/kernel/irq.c:239)<br /> asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)<br /> RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)<br /> Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00<br /> RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246<br /> RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900<br /> RDX: ffff93daee800000 RSI: ffff93d<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.7 (including) 5.10.226 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.167 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools