CVE-2024-26852
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
17/04/2024
Last modified:
21/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/ipv6: avoid possible UAF in ip6_route_mpath_notify()<br />
<br />
syzbot found another use-after-free in ip6_route_mpath_notify() [1]<br />
<br />
Commit f7225172f25a ("net/ipv6: prevent use after free in<br />
ip6_route_mpath_notify") was not able to fix the root cause.<br />
<br />
We need to defer the fib6_info_release() calls after<br />
ip6_route_mpath_notify(), in the cleanup phase.<br />
<br />
[1]<br />
BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0<br />
Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037<br />
<br />
CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106<br />
print_address_description mm/kasan/report.c:377 [inline]<br />
print_report+0x167/0x540 mm/kasan/report.c:488<br />
kasan_report+0x142/0x180 mm/kasan/report.c:601<br />
rt6_fill_node+0x1460/0x1ac0<br />
inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184<br />
ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]<br />
ip6_route_multipath_add net/ipv6/route.c:5404 [inline]<br />
inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517<br />
rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597<br />
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br />
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367<br />
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x221/0x270 net/socket.c:745<br />
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br />
___sys_sendmsg net/socket.c:2638 [inline]<br />
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br />
do_syscall_64+0xf9/0x240<br />
entry_SYSCALL_64_after_hwframe+0x6f/0x77<br />
RIP: 0033:0x7f73dd87dda9<br />
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br />
RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9<br />
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005<br />
RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br />
R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858<br />
<br />
<br />
Allocated by task 23037:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
poison_kmalloc_redzone mm/kasan/common.c:372 [inline]<br />
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389<br />
kasan_kmalloc include/linux/kasan.h:211 [inline]<br />
__do_kmalloc_node mm/slub.c:3981 [inline]<br />
__kmalloc+0x22e/0x490 mm/slub.c:3994<br />
kmalloc include/linux/slab.h:594 [inline]<br />
kzalloc include/linux/slab.h:711 [inline]<br />
fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155<br />
ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758<br />
ip6_route_multipath_add net/ipv6/route.c:5298 [inline]<br />
inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517<br />
rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597<br />
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]<br />
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367<br />
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x221/0x270 net/socket.c:745<br />
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584<br />
___sys_sendmsg net/socket.c:2638 [inline]<br />
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667<br />
do_syscall_64+0xf9/0x240<br />
entry_SYSCALL_64_after_hwframe+0x6f/0x77<br />
<br />
Freed by task 16:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640<br />
poison_slab_object+0xa6/0xe0 m<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.11 (including) | 4.19.310 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.272 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.213 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.152 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.82 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.22 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.10 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136
- https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18
- https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda
- https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
- https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab
- https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe
- https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24
- https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a
- https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136
- https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18
- https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda
- https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
- https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab
- https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe
- https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24
- https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html