CVE-2024-47707
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
21/10/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()<br />
<br />
Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,<br />
as spotted by syzbot:<br />
<br />
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI<br />
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br />
CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br />
RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]<br />
RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914<br />
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06<br />
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000<br />
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0<br />
RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c<br />
R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18<br />
R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930<br />
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856<br />
addrconf_notify+0x3cb/0x1020<br />
notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93<br />
call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]<br />
call_netdevice_notifiers net/core/dev.c:2046 [inline]<br />
unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352<br />
unregister_netdevice_many net/core/dev.c:11414 [inline]<br />
unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289<br />
unregister_netdevice include/linux/netdevice.h:3129 [inline]<br />
__tun_detach+0x6b9/0x1600 drivers/net/tun.c:685<br />
tun_detach drivers/net/tun.c:701 [inline]<br />
tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510<br />
__fput+0x24a/0x8a0 fs/file_table.c:422<br />
task_work_run+0x24f/0x310 kernel/task_work.c:228<br />
exit_task_work include/linux/task_work.h:40 [inline]<br />
do_exit+0xa2f/0x27f0 kernel/exit.c:882<br />
do_group_exit+0x207/0x2c0 kernel/exit.c:1031<br />
__do_sys_exit_group kernel/exit.c:1042 [inline]<br />
__se_sys_exit_group kernel/exit.c:1040 [inline]<br />
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040<br />
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7f1acc77def9<br />
Code: Unable to access opcode bytes at 0x7f1acc77decf.<br />
RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7<br />
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043<br />
RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001<br />
R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0<br />
<br />
Modules linked in:<br />
---[ end trace 0000000000000000 ]---<br />
RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]<br />
RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914<br />
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06<br />
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000<br />
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0<br />
R<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.3 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.54 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/04ccecfa959d3b9ae7348780d8e379c6486176ac
- https://git.kernel.org/stable/c/08409e401622e2896b4313be9f781bde8a2a6a53
- https://git.kernel.org/stable/c/0ceb2f2b5c813f932d6e60d3feec5e7e713da783
- https://git.kernel.org/stable/c/8a8b83016f06805775db099c8377024b6fa5b975
- https://git.kernel.org/stable/c/9a0ddc73be37d19dff1ba08290af34e707d18e50
- https://git.kernel.org/stable/c/a61a174280dad99f25a7dee920310885daf2552b
- https://git.kernel.org/stable/c/e43dd28405e6b9935279996725ee11e6306547a5
- https://git.kernel.org/stable/c/f2bd9635543ca41533b870f420872819f8331823
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html