Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-50045

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/10/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: br_netfilter: fix panic with metadata_dst skb<br /> <br /> Fix a kernel panic in the br_netfilter module when sending untagged<br /> traffic via a VxLAN device.<br /> This happens during the check for fragmentation in br_nf_dev_queue_xmit.<br /> <br /> It is dependent on:<br /> 1) the br_netfilter module being loaded;<br /> 2) net.bridge.bridge-nf-call-iptables set to 1;<br /> 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;<br /> 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded<br /> <br /> When forwarding the untagged packet to the VxLAN bridge port, before<br /> the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and<br /> changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type<br /> of dst, i.e., skb_valid_dst(skb) is false, and metadata-&gt;dst.dev is NULL.<br /> <br /> Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there&amp;#39;s a check<br /> for frames that needs to be fragmented: frames with higher MTU than the<br /> VxLAN device end up calling br_nf_ip_fragment, which in turns call<br /> ip_skb_dst_mtu.<br /> <br /> The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst<br /> with valid dst-&gt;dev, thus the crash.<br /> <br /> This case was never supported in the first place, so drop the packet<br /> instead.<br /> <br /> PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.<br /> [ 176.291791] Unable to handle kernel NULL pointer dereference at<br /> virtual address 0000000000000110<br /> [ 176.292101] Mem abort info:<br /> [ 176.292184] ESR = 0x0000000096000004<br /> [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 176.292530] SET = 0, FnV = 0<br /> [ 176.292709] EA = 0, S1PTW = 0<br /> [ 176.292862] FSC = 0x04: level 0 translation fault<br /> [ 176.293013] Data abort info:<br /> [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000<br /> [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000<br /> [ 176.294166] [0000000000000110] pgd=0000000000000000,<br /> p4d=0000000000000000<br /> [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP<br /> [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth<br /> br_netfilter bridge stp llc ipv6 crct10dif_ce<br /> [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted<br /> 6.8.0-rc3-g5b3fbd61b9d1 #2<br /> [ 176.296314] Hardware name: linux,dummy-virt (DT)<br /> [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS<br /> BTYPE=--)<br /> [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]<br /> [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]<br /> [ 176.297636] sp : ffff800080003630<br /> [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:<br /> ffff6828c49ad9f8<br /> [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:<br /> 00000000000003e8<br /> [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:<br /> ffff6828c3b16d28<br /> [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:<br /> 0000000000000014<br /> [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:<br /> 0000000095744632<br /> [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:<br /> ffffb7e137926a70<br /> [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :<br /> 0000000000000000<br /> [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :<br /> f20e0100bebafeca<br /> [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :<br /> 0000000000000000<br /> [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :<br /> ffff6828c7f918f0<br /> [ 176.300889] Call trace:<br /> [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]<br /> [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]<br /> [ 176.301703] nf_hook_slow+0x48/0x124<br /> [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge]<br /> [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter]<br /> [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter]<br /> [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]<br /> [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter]<br /> [ 176.303359] nf_hook_slow+0x48/0x124<br /> [ 176.303<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.11 (including) 5.10.227 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.168 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.113 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.57 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools