CVE-2024-35886

CVE Details

Release Date:

2024-05-19

Description

In the Linux kernel, the following vulnerability has been resolved:\nipv6: Fix infinite recursion in fib6_dump_done().\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n12:01:34 executing program 3:\nr0 = socket(0x10, 0x3, 0x0)\nsendmsg(r0, ... snip ...)\nrecvmmsg(r0, ... snip ...) (fail_nth: 8)\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\nTo avoid the issue, let's set the destructor after kzalloc().\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\ndump_stack_lvl (lib/dump_stack.c:117)\nshould_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\nshould_failslab (mm/slub.c:3733)\nkmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\ninet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\nrtnl_dump_all (net/core/rtnetlink.c:4029)\nnetlink_dump (net/netlink/af_netlink.c:2269)\nnetlink_recvmsg (net/netlink/af_netlink.c:1988)\n____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n___sys_recvmsg (net/socket.c:2846)\ndo_recvmmsg (net/socket.c:2943)\n__x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n<#DF>\n\n\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n...\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nnetlink_sock_destruct (net/netlink/af_netlink.c:401)\n__sk_destruct (net/core/sock.c:2177 (discriminator 2))\nsk_destruct (net/core/sock.c:2224)\n__sk_free (net/core/sock.c:2235)\nsk_free (net/core/sock.c:2246)\nprocess_one_work (kernel/workqueue.c:3259)\nworker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---

See more information about CVE-2024-35886 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 6 (kernel-uek)	ELSA-2024-12700	2024-09-27
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12700	2024-09-27
Oracle VM version 3 (kernel-uek)	OVMSA-2024-0013	2024-10-01