cve/published/2024/CVE-2024-46782.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46782: ila: call nf_unregister_net_hooks() sooner

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ila: call nf_unregister_net_hooks() sooner

 syzbot found an use-after-free Read in ila_nf_input [1]

 Issue here is that ila_xlat_exit_net() frees the rhashtable,
 then call nf_unregister_net_hooks().

 It should be done in the reverse way, with a synchronize_rcu().

 This is a good match for a pre_exit() method.

 [1]
  BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
  BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
  BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
  BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16

 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
 Call Trace:
  <TASK>
   __dump_stack lib/dump_stack.c:93 [inline]
   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
   print_address_description mm/kasan/report.c:377 [inline]
   print_report+0x169/0x550 mm/kasan/report.c:488
   kasan_report+0x143/0x180 mm/kasan/report.c:601
   rht_key_hashfn include/linux/rhashtable.h:159 [inline]
   __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
   rhashtable_lookup include/linux/rhashtable.h:646 [inline]
   rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
   ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
   ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
   ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
   nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
   nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
   nf_hook include/linux/netfilter.h:269 [inline]
   NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
   __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
   __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
   process_backlog+0x662/0x15b0 net/core/dev.c:6108
   __napi_poll+0xcb/0x490 net/core/dev.c:6772
   napi_poll net/core/dev.c:6841 [inline]
   net_rx_action+0x89b/0x1240 net/core/dev.c:6963
   handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
   run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
   smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
   kthread+0x2f0/0x390 kernel/kthread.c:389
   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
  </TASK>

 The buggy address belongs to the physical page:
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620
 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
 page_type: 0xbfffffff(buddy)
 raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000
 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000
 page dumped because: kasan: bad access detected
 page_owner tracks the page as freed
 page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187
   set_page_owner include/linux/page_owner.h:32 [inline]
   post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
   prep_new_page mm/page_alloc.c:1501 [inline]
   get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
   __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
   __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
   alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
   ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103
   __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130
   __do_kmalloc_node mm/slub.c:4146 [inline]
   __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164
   __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
   bucket_table_alloc lib/rhashtable.c:186 [inline]
   rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
   ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613
   ops_init+0x359/0x610 net/core/net_namespace.c:139
   setup_net+0x515/0xca0 net/core/net_namespace.c:343
   copy_net_ns+0x4e2/0x7b0 net/core/net_namespace.c:508
   create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
   unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228
   ksys_unshare+0x619/0xc10 kernel/fork.c:3328
   __do_sys_unshare kernel/fork.c:3399 [inline]
   __se_sys_unshare kernel/fork.c:3397 [inline]
   __x64_sys_unshare+0x38/0x40 kernel/fork.c:3397
 page last free pid 11846 tgid 11846 stack trace:
   reset_page_owner include/linux/page_owner.h:25 [inline]
   free_pages_prepare mm/page_alloc.c:1094 [inline]
   free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
   __folio_put+0x2c8/0x440 mm/swap.c:128
   folio_put include/linux/mm.h:1486 [inline]
   free_large_kmalloc+0x105/0x1c0 mm/slub.c:4565
   kfree+0x1c4/0x360 mm/slub.c:4588
   rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
   ila_xlat_exit_net+0x55/0x110 net/ipv6/ila/ila_xlat.c:626
   ops_exit_list net/core/net_namespace.c:173 [inline]
   cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
   process_one_work kernel/workqueue.c:3231 [inline]
   process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
   worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
   kthread+0x2f0/0x390 kernel/kthread.c:389
   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 Memory state around the buggy address:
  ffff88806461ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88806461ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff888064620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                       ^
  ffff888064620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ffff888064620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

 The Linux kernel CVE team has assigned CVE-2024-46782 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 4.19.322 with commit 43d34110882b97ba1ec66cc8234b18983efb9abf
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.4.284 with commit dcaf4e2216824839d26727a15b638c6a677bd9fc
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.10.226 with commit 93ee345ba349922834e6a9d1dadabaedcc12dce6
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.15.167 with commit bda4d84ac0d5421b346faee720011f58bdb99673
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.1.110 with commit 925c18a7cff93d8a4320d652351294ff7d0ac93c
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.6.51 with commit 18a5a16940464b301ea91bf5da3a324aedb347b2
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.10.10 with commit 47abd8adddbc0aecb8f231269ef659148d5dabe4
 	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.11 with commit 031ae72825cef43e4650140b800ad58bf7a6a466

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46782
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/ila/ila.h
 	net/ipv6/ila/ila_main.c
 	net/ipv6/ila/ila_xlat.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf
 	https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc
 	https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6
 	https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673
 	https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c
 	https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2
 	https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4
 	https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46782: ila: call nf_unregister_net_hooks() sooner

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ila: call nf_unregister_net_hooks() sooner

	syzbot found an use-after-free Read in ila_nf_input [1]

	Issue here is that ila_xlat_exit_net() frees the rhashtable,
	then call nf_unregister_net_hooks().

	It should be done in the reverse way, with a synchronize_rcu().

	This is a good match for a pre_exit() method.

	[1]
	BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
	BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
	BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
	BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
	Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16

	CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:93 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
	print_address_description mm/kasan/report.c:377 [inline]
	print_report+0x169/0x550 mm/kasan/report.c:488
	kasan_report+0x143/0x180 mm/kasan/report.c:601
	rht_key_hashfn include/linux/rhashtable.h:159 [inline]
	__rhashtable_lookup include/linux/rhashtable.h:604 [inline]
	rhashtable_lookup include/linux/rhashtable.h:646 [inline]
	rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
	ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
	ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
	ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
	nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
	nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
	nf_hook include/linux/netfilter.h:269 [inline]
	NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
	__netif_receive_skb_one_core net/core/dev.c:5661 [inline]
	__netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
	process_backlog+0x662/0x15b0 net/core/dev.c:6108
	__napi_poll+0xcb/0x490 net/core/dev.c:6772
	napi_poll net/core/dev.c:6841 [inline]
	net_rx_action+0x89b/0x1240 net/core/dev.c:6963
	handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
	run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
	smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
	kthread+0x2f0/0x390 kernel/kthread.c:389
	ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
	</TASK>

	The buggy address belongs to the physical page:
	page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620
	flags: 0xfff00000000000(node=0\|zone=1\|lastcpupid=0x7ff)
	page_type: 0xbfffffff(buddy)
	raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000
	raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000
	page dumped because: kasan: bad access detected
	page_owner tracks the page as freed
	page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL\|__GFP_NOWARN\|__GFP_NORETRY\|__GFP_COMP\|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187
	set_page_owner include/linux/page_owner.h:32 [inline]
	post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
	prep_new_page mm/page_alloc.c:1501 [inline]
	get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
	__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
	__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
	alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
	___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103
	__kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130
	__do_kmalloc_node mm/slub.c:4146 [inline]
	__kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164
	__kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
	bucket_table_alloc lib/rhashtable.c:186 [inline]
	rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071
	ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613
	ops_init+0x359/0x610 net/core/net_namespace.c:139
	setup_net+0x515/0xca0 net/core/net_namespace.c:343
	copy_net_ns+0x4e2/0x7b0 net/core/net_namespace.c:508
	create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
	unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228
	ksys_unshare+0x619/0xc10 kernel/fork.c:3328
	__do_sys_unshare kernel/fork.c:3399 [inline]
	__se_sys_unshare kernel/fork.c:3397 [inline]
	__x64_sys_unshare+0x38/0x40 kernel/fork.c:3397
	page last free pid 11846 tgid 11846 stack trace:
	reset_page_owner include/linux/page_owner.h:25 [inline]
	free_pages_prepare mm/page_alloc.c:1094 [inline]
	free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
	__folio_put+0x2c8/0x440 mm/swap.c:128
	folio_put include/linux/mm.h:1486 [inline]
	free_large_kmalloc+0x105/0x1c0 mm/slub.c:4565
	kfree+0x1c4/0x360 mm/slub.c:4588
	rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
	ila_xlat_exit_net+0x55/0x110 net/ipv6/ila/ila_xlat.c:626
	ops_exit_list net/core/net_namespace.c:173 [inline]
	cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
	process_one_work kernel/workqueue.c:3231 [inline]
	process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
	worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
	kthread+0x2f0/0x390 kernel/kthread.c:389
	ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	Memory state around the buggy address:
	ffff88806461ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff88806461ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	>ffff888064620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
	^
	ffff888064620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
	ffff888064620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

	The Linux kernel CVE team has assigned CVE-2024-46782 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 4.19.322 with commit 43d34110882b97ba1ec66cc8234b18983efb9abf
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.4.284 with commit dcaf4e2216824839d26727a15b638c6a677bd9fc
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.10.226 with commit 93ee345ba349922834e6a9d1dadabaedcc12dce6
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.15.167 with commit bda4d84ac0d5421b346faee720011f58bdb99673
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.1.110 with commit 925c18a7cff93d8a4320d652351294ff7d0ac93c
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.6.51 with commit 18a5a16940464b301ea91bf5da3a324aedb347b2
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.10.10 with commit 47abd8adddbc0aecb8f231269ef659148d5dabe4
	Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.11 with commit 031ae72825cef43e4650140b800ad58bf7a6a466

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46782
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/ila/ila.h
	net/ipv6/ila/ila_main.c
	net/ipv6/ila/ila_xlat.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf
	https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc
	https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6
	https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673
	https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c
	https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2
	https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4
	https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466