CVE-2024-44987
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
04/09/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ipv6: prevent UAF in ip6_send_skb()<br />
<br />
syzbot reported an UAF in ip6_send_skb() [1]<br />
<br />
After ip6_local_out() has returned, we no longer can safely<br />
dereference rt, unless we hold rcu_read_lock().<br />
<br />
A similar issue has been fixed in commit<br />
a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")<br />
<br />
Another potential issue in ip6_finish_output2() is handled in a<br />
separate patch.<br />
<br />
[1]<br />
BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964<br />
Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530<br />
<br />
CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:93 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119<br />
print_address_description mm/kasan/report.c:377 [inline]<br />
print_report+0x169/0x550 mm/kasan/report.c:488<br />
kasan_report+0x143/0x180 mm/kasan/report.c:601<br />
ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964<br />
rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588<br />
rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x1a6/0x270 net/socket.c:745<br />
sock_write_iter+0x2dd/0x400 net/socket.c:1160<br />
do_iter_readv_writev+0x60a/0x890<br />
vfs_writev+0x37c/0xbb0 fs/read_write.c:971<br />
do_writev+0x1b1/0x350 fs/read_write.c:1018<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7f936bf79e79<br />
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014<br />
RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79<br />
RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004<br />
RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br />
R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8<br />
<br />
<br />
Allocated by task 6530:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
unpoison_slab_object mm/kasan/common.c:312 [inline]<br />
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338<br />
kasan_slab_alloc include/linux/kasan.h:201 [inline]<br />
slab_post_alloc_hook mm/slub.c:3988 [inline]<br />
slab_alloc_node mm/slub.c:4037 [inline]<br />
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044<br />
dst_alloc+0x12b/0x190 net/core/dst.c:89<br />
ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670<br />
make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]<br />
xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313<br />
ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257<br />
rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0x1a6/0x270 net/socket.c:745<br />
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597<br />
___sys_sendmsg net/socket.c:2651 [inline]<br />
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680<br />
do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 45:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579<br />
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240<br />
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256<br />
kasan_slab_free include/linux/kasan.h:184 [inline]<br />
slab_free_hook mm/slub.c:2252 [inline]<br />
slab_free mm/slub.c:4473 [inline]<br />
kmem_cache_free+0x145/0x350 mm/slub.c:4548<br />
dst_destroy+0x2ac/0x460 net/core/dst.c:124<br />
rcu_do_batch kernel/rcu/tree.c:2569 [inline]<br />
rcu_core+0xafd/0x1830 kernel/rcu/tree.<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.32 (including) | 4.19.321 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.283 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.225 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.166 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.107 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.48 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a
- https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429
- https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25
- https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
- https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
- https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
- https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2
- https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html