| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-35886: ipv6: Fix infinite recursion in fib6_dump_done(). |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ipv6: Fix infinite recursion in fib6_dump_done(). |
| |
| syzkaller reported infinite recursive calls of fib6_dump_done() during |
| netlink socket destruction. [1] |
| |
| From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then |
| the response was generated. The following recvmmsg() resumed the dump |
| for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due |
| to the fault injection. [0] |
| |
| 12:01:34 executing program 3: |
| r0 = socket$nl_route(0x10, 0x3, 0x0) |
| sendmsg$nl_route(r0, ... snip ...) |
| recvmmsg(r0, ... snip ...) (fail_nth: 8) |
| |
| Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call |
| of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped |
| receiving the response halfway through, and finally netlink_sock_destruct() |
| called nlk_sk(sk)->cb.done(). |
| |
| fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it |
| is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by |
| nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling |
| itself recursively and hitting the stack guard page. |
| |
| To avoid the issue, let's set the destructor after kzalloc(). |
| |
| [0]: |
| FAULT_INJECTION: forcing a failure. |
| name failslab, interval 1, probability 0, space 0, times 0 |
| CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 |
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 |
| Call Trace: |
| <TASK> |
| dump_stack_lvl (lib/dump_stack.c:117) |
| should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) |
| should_failslab (mm/slub.c:3733) |
| kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) |
| inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) |
| rtnl_dump_all (net/core/rtnetlink.c:4029) |
| netlink_dump (net/netlink/af_netlink.c:2269) |
| netlink_recvmsg (net/netlink/af_netlink.c:1988) |
| ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) |
| ___sys_recvmsg (net/socket.c:2846) |
| do_recvmmsg (net/socket.c:2943) |
| __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) |
| |
| [1]: |
| BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) |
| stack guard page: 0000 [#1] PREEMPT SMP KASAN |
| CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 |
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 |
| Workqueue: events netlink_sock_destruct_work |
| RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) |
| Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff |
| RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 |
| RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 |
| RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 |
| RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 |
| R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 |
| FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 |
| PKRU: 55555554 |
| Call Trace: |
| <#DF> |
| </#DF> |
| <TASK> |
| fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) |
| fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) |
| ... |
| fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) |
| fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) |
| netlink_sock_destruct (net/netlink/af_netlink.c:401) |
| __sk_destruct (net/core/sock.c:2177 (discriminator 2)) |
| sk_destruct (net/core/sock.c:2224) |
| __sk_free (net/core/sock.c:2235) |
| sk_free (net/core/sock.c:2246) |
| process_one_work (kernel/workqueue.c:3259) |
| worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) |
| kthread (kernel/kthread.c:388) |
| ret_from_fork (arch/x86/kernel/process.c:153) |
| ret_from_fork_asm (arch/x86/entry/entry_64.S:256) |
| Modules linked in: |
| |
| The Linux kernel CVE team has assigned CVE-2024-35886 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 4.19.312 with commit 9472d07cd095cbd3294ac54c42f304a38fbe9bfe |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.4.274 with commit 9c5258196182c25b55c33167cd72fdd9bbf08985 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.10.215 with commit fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 5.15.154 with commit 40a344b2ddc06c1a2caa7208a43911f39c662778 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.1.85 with commit 167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.6.26 with commit f2dd75e57285f49e34af1a5b6cd8945c08243776 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.8.5 with commit 4a7c465a5dcd657d59d25bf4815e19ac05c13061 |
| Issue introduced in 2.6.12 with commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and fixed in 6.9 with commit d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-35886 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/ipv6/ip6_fib.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe |
| https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 |
| https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 |
| https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 |
| https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 |
| https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 |
| https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 |
| https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae |
