cve/published/2024/CVE-2024-44987.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44987: ipv6: prevent UAF in ip6_send_skb()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv6: prevent UAF in ip6_send_skb()

 syzbot reported an UAF in ip6_send_skb() [1]

 After ip6_local_out() has returned, we no longer can safely
 dereference rt, unless we hold rcu_read_lock().

 A similar issue has been fixed in commit
 a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")

 Another potential issue in ip6_finish_output2() is handled in a
 separate patch.

 [1]
  BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530

 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
 Call Trace:
  <TASK>
   __dump_stack lib/dump_stack.c:93 [inline]
   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0x169/0x550 mm/kasan/report.c:488
   kasan_report+0x143/0x180 mm/kasan/report.c:601
   ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
   rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
   rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x1a6/0x270 net/socket.c:745
   sock_write_iter+0x2dd/0x400 net/socket.c:1160
  do_iter_readv_writev+0x60a/0x890
   vfs_writev+0x37c/0xbb0 fs/read_write.c:971
   do_writev+0x1b1/0x350 fs/read_write.c:1018
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f936bf79e79
 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
  </TASK>

 Allocated by task 6530:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
   unpoison_slab_object mm/kasan/common.c:312 [inline]
   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
   kasan_slab_alloc include/linux/kasan.h:201 [inline]
   slab_post_alloc_hook mm/slub.c:3988 [inline]
   slab_alloc_node mm/slub.c:4037 [inline]
   kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
   dst_alloc+0x12b/0x190 net/core/dst.c:89
   ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
   make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
   xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
   ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
   rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x1a6/0x270 net/socket.c:745
   ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
   ___sys_sendmsg net/socket.c:2651 [inline]
   __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Freed by task 45:
   kasan_save_stack mm/kasan/common.c:47 [inline]
   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
   poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
   __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
   kasan_slab_free include/linux/kasan.h:184 [inline]
   slab_free_hook mm/slub.c:2252 [inline]
   slab_free mm/slub.c:4473 [inline]
   kmem_cache_free+0x145/0x350 mm/slub.c:4548
   dst_destroy+0x2ac/0x460 net/core/dst.c:124
   rcu_do_batch kernel/rcu/tree.c:2569 [inline]
   rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2843
   handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
   __do_softirq kernel/softirq.c:588 [inline]
   invoke_softirq kernel/softirq.c:428 [inline]
   __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
   irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
   instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
   sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
   asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

 Last potentially related work creation:
   kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
   __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
   __call_rcu_common kernel/rcu/tree.c:3106 [inline]
   call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210
   refdst_drop include/net/dst.h:263 [inline]
   skb_dst_drop include/net/dst.h:275 [inline]
   nf_ct_frag6_queue net/ipv6/netfilter/nf_conntrack_reasm.c:306 [inline]
   nf_ct_frag6_gather+0xb9a/0x2080 net/ipv6/netfilter/nf_conntrack_reasm.c:485
   ipv6_defrag+0x2c8/0x3c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:67
   nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
   nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
   nf_hook include/linux/netfilter.h:269 [inline]
   __ip6_local_out+0x6fa/0x800 net/ipv6/output_core.c:143
   ip6_local_out+0x26/0x70 net/ipv6/output_core.c:153
   ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1959
   rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
   rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
   sock_sendmsg_nosec net/socket.c:730 [inline]
   __sock_sendmsg+0x1a6/0x270 net/socket.c:745
   sock_write_iter+0x2dd/0x400 net/socket.c:1160
  do_iter_readv_writev+0x60a/0x890

 The Linux kernel CVE team has assigned CVE-2024-44987 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 4.19.321 with commit 571567e0277008459750f0728f246086b2659429
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.4.283 with commit ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.10.225 with commit cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.15.166 with commit 24e93695b1239fbe4c31e224372be77f82dab69a
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.1.107 with commit 9a3e55afa95ed4ac9eda112d4f918af645d72f25
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.6.48 with commit af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.10.7 with commit e44bd76dd072756e674f45c5be00153f4ded68b2
 	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.11 with commit faa389b2fbaaec7fd27a390b4896139f9da662e3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44987
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/ip6_output.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429
 	https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
 	https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
 	https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a
 	https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25
 	https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
 	https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2
 	https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44987: ipv6: prevent UAF in ip6_send_skb()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv6: prevent UAF in ip6_send_skb()

	syzbot reported an UAF in ip6_send_skb() [1]

	After ip6_local_out() has returned, we no longer can safely
	dereference rt, unless we hold rcu_read_lock().

	A similar issue has been fixed in commit
	a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()")

	Another potential issue in ip6_finish_output2() is handled in a
	separate patch.

	[1]
	BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
	Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530

	CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:93 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964
	rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
	rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x1a6/0x270 net/socket.c:745
	sock_write_iter+0x2dd/0x400 net/socket.c:1160
	do_iter_readv_writev+0x60a/0x890
	vfs_writev+0x37c/0xbb0 fs/read_write.c:971
	do_writev+0x1b1/0x350 fs/read_write.c:1018
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f936bf79e79
	Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
	RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79
	RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004
	RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8
	</TASK>

	Allocated by task 6530:
	kasan_save_stack mm/kasan/common.c:47 [inline]
	kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
	unpoison_slab_object mm/kasan/common.c:312 [inline]
	__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
	kasan_slab_alloc include/linux/kasan.h:201 [inline]
	slab_post_alloc_hook mm/slub.c:3988 [inline]
	slab_alloc_node mm/slub.c:4037 [inline]
	kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
	dst_alloc+0x12b/0x190 net/core/dst.c:89
	ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670
	make_blackhole net/xfrm/xfrm_policy.c:3120 [inline]
	xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313
	ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257
	rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x1a6/0x270 net/socket.c:745
	____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
	___sys_sendmsg net/socket.c:2651 [inline]
	__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Freed by task 45:
	kasan_save_stack mm/kasan/common.c:47 [inline]
	kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
	kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
	poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
	__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
	kasan_slab_free include/linux/kasan.h:184 [inline]
	slab_free_hook mm/slub.c:2252 [inline]
	slab_free mm/slub.c:4473 [inline]
	kmem_cache_free+0x145/0x350 mm/slub.c:4548
	dst_destroy+0x2ac/0x460 net/core/dst.c:124
	rcu_do_batch kernel/rcu/tree.c:2569 [inline]
	rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2843
	handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
	__do_softirq kernel/softirq.c:588 [inline]
	invoke_softirq kernel/softirq.c:428 [inline]
	__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
	irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
	instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
	sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
	asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

	Last potentially related work creation:
	kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
	__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
	__call_rcu_common kernel/rcu/tree.c:3106 [inline]
	call_rcu+0x167/0xa70 kernel/rcu/tree.c:3210
	refdst_drop include/net/dst.h:263 [inline]
	skb_dst_drop include/net/dst.h:275 [inline]
	nf_ct_frag6_queue net/ipv6/netfilter/nf_conntrack_reasm.c:306 [inline]
	nf_ct_frag6_gather+0xb9a/0x2080 net/ipv6/netfilter/nf_conntrack_reasm.c:485
	ipv6_defrag+0x2c8/0x3c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:67
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
	nf_hook include/linux/netfilter.h:269 [inline]
	__ip6_local_out+0x6fa/0x800 net/ipv6/output_core.c:143
	ip6_local_out+0x26/0x70 net/ipv6/output_core.c:153
	ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1959
	rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588
	rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0x1a6/0x270 net/socket.c:745
	sock_write_iter+0x2dd/0x400 net/socket.c:1160
	do_iter_readv_writev+0x60a/0x890

	The Linux kernel CVE team has assigned CVE-2024-44987 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 4.19.321 with commit 571567e0277008459750f0728f246086b2659429
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.4.283 with commit ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.10.225 with commit cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 5.15.166 with commit 24e93695b1239fbe4c31e224372be77f82dab69a
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.1.107 with commit 9a3e55afa95ed4ac9eda112d4f918af645d72f25
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.6.48 with commit af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.10.7 with commit e44bd76dd072756e674f45c5be00153f4ded68b2
	Issue introduced in 2.6.32 with commit 0625491493d9000e4556bf566d205c28c8e7dc4e and fixed in 6.11 with commit faa389b2fbaaec7fd27a390b4896139f9da662e3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44987
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/ip6_output.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429
	https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
	https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
	https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a
	https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25
	https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
	https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4ded68b2
	https://git.kernel.org/stable/c/faa389b2fbaaec7fd27a390b4896139f9da662e3