Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-46782

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
18/09/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ila: call nf_unregister_net_hooks() sooner<br /> <br /> syzbot found an use-after-free Read in ila_nf_input [1]<br /> <br /> Issue here is that ila_xlat_exit_net() frees the rhashtable,<br /> then call nf_unregister_net_hooks().<br /> <br /> It should be done in the reverse way, with a synchronize_rcu().<br /> <br /> This is a good match for a pre_exit() method.<br /> <br /> [1]<br /> BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]<br /> BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]<br /> BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]<br /> BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672<br /> Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16<br /> <br /> CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:93 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> rht_key_hashfn include/linux/rhashtable.h:159 [inline]<br /> __rhashtable_lookup include/linux/rhashtable.h:604 [inline]<br /> rhashtable_lookup include/linux/rhashtable.h:646 [inline]<br /> rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672<br /> ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]<br /> ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]<br /> ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190<br /> nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]<br /> nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626<br /> nf_hook include/linux/netfilter.h:269 [inline]<br /> NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312<br /> __netif_receive_skb_one_core net/core/dev.c:5661 [inline]<br /> __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775<br /> process_backlog+0x662/0x15b0 net/core/dev.c:6108<br /> __napi_poll+0xcb/0x490 net/core/dev.c:6772<br /> napi_poll net/core/dev.c:6841 [inline]<br /> net_rx_action+0x89b/0x1240 net/core/dev.c:6963<br /> handle_softirqs+0x2c4/0x970 kernel/softirq.c:554<br /> run_ksoftirqd+0xca/0x130 kernel/softirq.c:928<br /> smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620<br /> flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)<br /> page_type: 0xbfffffff(buddy)<br /> raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000<br /> raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> page_owner tracks the page as freed<br /> page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187<br /> set_page_owner include/linux/page_owner.h:32 [inline]<br /> post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493<br /> prep_new_page mm/page_alloc.c:1501 [inline]<br /> get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439<br /> __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695<br /> __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]<br /> alloc_pages_node_noprof include/linux/gfp.h:296 [inline]<br /> ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103<br /> __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130<br /> __do_kmalloc_node mm/slub.c:4146 [inline]<br /> __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164<br /> __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650<br /> bucket_table_alloc lib/rhashtable.c:186 [inline]<br /> rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071<br /> ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613<br /> ops_ini<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.5 (including) 4.19.322 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.284 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.226 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.167 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.10 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools