Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2024 / CVE-2024-36286.mbox
blob: 94beb4f1bba1e98d52ba9fef06350b3deff72541 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-36286: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
syzbot reported that nf_reinject() could be called without rcu_read_lock() :
WARNING: suspicious RCU usage
6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted
net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor.4/13427:
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline]
#0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline]
#1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172
stack backtrace:
CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline]
nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397
nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline]
instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172
rcu_do_batch kernel/rcu/tree.c:2196 [inline]
rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471
handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
The Linux kernel CVE team has assigned CVE-2024-36286 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 4.19.316 with commit 8658bd777cbfcb0c13df23d0ea120e70517761b9
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 5.4.278 with commit 3989b817857f4890fab9379221a9d3f52bf5c256
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 5.10.219 with commit e01065b339e323b3dfa1be217fd89e9b3208b0ab
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 5.15.161 with commit 25ea5377e3d2921a0f96ae2551f5ab1b36825dd4
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 6.1.93 with commit 68f40354a3851df46c27be96b84f11ae193e36c5
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 6.6.33 with commit 8f365564af898819a523f1a8cf5c6ce053e9f718
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 6.9.4 with commit 215df6490e208bfdd5b3012f5075e7f8736f3e7a
Issue introduced in 2.6.25 with commit 9872bec773c2e8503fec480c1e8a0c732517e257 and fixed in 6.10 with commit dc21c6cc3d6986d938efbf95de62473982c98dec
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-36286
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/netfilter/nfnetlink_queue.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9
https://git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256
https://git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab
https://git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4
https://git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5
https://git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718
https://git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a
https://git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec