cve/published/2024/CVE-2024-56751.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56751: ipv6: release nexthop on device removal

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv6: release nexthop on device removal

 The CI is hitting some aperiodic hangup at device removal time in the
 pmtu.sh self-test:

 unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
 ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
 	dst_init+0x84/0x4a0
 	dst_alloc+0x97/0x150
 	ip6_dst_alloc+0x23/0x90
 	ip6_rt_pcpu_alloc+0x1e6/0x520
 	ip6_pol_route+0x56f/0x840
 	fib6_rule_lookup+0x334/0x630
 	ip6_route_output_flags+0x259/0x480
 	ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
 	ip6_dst_lookup_flow+0x88/0x190
 	udp_tunnel6_dst_lookup+0x2a7/0x4c0
 	vxlan_xmit_one+0xbde/0x4a50 [vxlan]
 	vxlan_xmit+0x9ad/0xf20 [vxlan]
 	dev_hard_start_xmit+0x10e/0x360
 	__dev_queue_xmit+0xf95/0x18c0
 	arp_solicit+0x4a2/0xe00
 	neigh_probe+0xaa/0xf0

 While the first suspect is the dst_cache, explicitly tracking the dst
 owing the last device reference via probes proved such dst is held by
 the nexthop in the originating fib6_info.

 Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
 removal"), we need to explicitly release the originating fib info when
 disconnecting a to-be-removed device from a live ipv6 dst: move the
 fib6_info cleanup into ip6_dst_ifdown().

 Tested running:

 ./pmtu.sh cleanup_ipv6_exception

 in a tight loop for more than 400 iterations with no spat, running an
 unpatched kernel  I observed a splat every ~10 iterations.

 The Linux kernel CVE team has assigned CVE-2024-56751 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 5.15.181 with commit 77aa9855a878fb43f547ddfbda3127a1e88ad31a
 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.1.120 with commit b2f26a27ea3f72f75d18330f76f5d1007c791848
 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.6.64 with commit 43e25adc80269f917d2a195f0d59f74cdd182955
 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.11.11 with commit a3c3f8a4d025acc8c857246ec2b812c59102487a
 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.12.2 with commit 0e4c6faaef8a24b762a24ffb767280e263ef8e10
 	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.13 with commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56751
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/route.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/77aa9855a878fb43f547ddfbda3127a1e88ad31a
 	https://git.kernel.org/stable/c/b2f26a27ea3f72f75d18330f76f5d1007c791848
 	https://git.kernel.org/stable/c/43e25adc80269f917d2a195f0d59f74cdd182955
 	https://git.kernel.org/stable/c/a3c3f8a4d025acc8c857246ec2b812c59102487a
 	https://git.kernel.org/stable/c/0e4c6faaef8a24b762a24ffb767280e263ef8e10
 	https://git.kernel.org/stable/c/eb02688c5c45c3e7af7e71f036a7144f5639cbfe
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56751: ipv6: release nexthop on device removal

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv6: release nexthop on device removal

	The CI is hitting some aperiodic hangup at device removal time in the
	pmtu.sh self-test:

	unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
	ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
	dst_init+0x84/0x4a0
	dst_alloc+0x97/0x150
	ip6_dst_alloc+0x23/0x90
	ip6_rt_pcpu_alloc+0x1e6/0x520
	ip6_pol_route+0x56f/0x840
	fib6_rule_lookup+0x334/0x630
	ip6_route_output_flags+0x259/0x480
	ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
	ip6_dst_lookup_flow+0x88/0x190
	udp_tunnel6_dst_lookup+0x2a7/0x4c0
	vxlan_xmit_one+0xbde/0x4a50 [vxlan]
	vxlan_xmit+0x9ad/0xf20 [vxlan]
	dev_hard_start_xmit+0x10e/0x360
	__dev_queue_xmit+0xf95/0x18c0
	arp_solicit+0x4a2/0xe00
	neigh_probe+0xaa/0xf0

	While the first suspect is the dst_cache, explicitly tracking the dst
	owing the last device reference via probes proved such dst is held by
	the nexthop in the originating fib6_info.

	Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
	removal"), we need to explicitly release the originating fib info when
	disconnecting a to-be-removed device from a live ipv6 dst: move the
	fib6_info cleanup into ip6_dst_ifdown().

	Tested running:

	./pmtu.sh cleanup_ipv6_exception

	in a tight loop for more than 400 iterations with no spat, running an
	unpatched kernel I observed a splat every ~10 iterations.

	The Linux kernel CVE team has assigned CVE-2024-56751 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 5.15.181 with commit 77aa9855a878fb43f547ddfbda3127a1e88ad31a
	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.1.120 with commit b2f26a27ea3f72f75d18330f76f5d1007c791848
	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.6.64 with commit 43e25adc80269f917d2a195f0d59f74cdd182955
	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.11.11 with commit a3c3f8a4d025acc8c857246ec2b812c59102487a
	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.12.2 with commit 0e4c6faaef8a24b762a24ffb767280e263ef8e10
	Issue introduced in 5.3 with commit f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 and fixed in 6.13 with commit eb02688c5c45c3e7af7e71f036a7144f5639cbfe

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56751
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/route.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/77aa9855a878fb43f547ddfbda3127a1e88ad31a
	https://git.kernel.org/stable/c/b2f26a27ea3f72f75d18330f76f5d1007c791848
	https://git.kernel.org/stable/c/43e25adc80269f917d2a195f0d59f74cdd182955
	https://git.kernel.org/stable/c/a3c3f8a4d025acc8c857246ec2b812c59102487a
	https://git.kernel.org/stable/c/0e4c6faaef8a24b762a24ffb767280e263ef8e10
	https://git.kernel.org/stable/c/eb02688c5c45c3e7af7e71f036a7144f5639cbfe