CVE-2024-40957

CVE Details

Release Date:2024-07-12

Description


In the Linux kernel, the following vulnerability has been resolved:\nseg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors\ninput_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for\nPREROUTING hook, in PREROUTING hook, we should passing a valid indev,\nand a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer\ndereference, as below:\n[74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090\n[74830.655633] #PF: supervisor read access in kernel mode\n[74830.657888] #PF: error_code(0x0000) - not-present page\n[74830.659500] PGD 0 P4D 0\n[74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI\n...\n[74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n[74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n...\n[74830.689725] Call Trace:\n[74830.690402] \n[74830.690953] ? show_trace_log_lvl+0x1c4/0x2df\n[74830.692020] ? show_trace_log_lvl+0x1c4/0x2df\n[74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables]\n[74830.694275] ? __die_body.cold+0x8/0xd\n[74830.695205] ? page_fault_oops+0xac/0x140\n[74830.696244] ? exc_page_fault+0x62/0x150\n[74830.697225] ? asm_exc_page_fault+0x22/0x30\n[74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter]\n[74830.699540] ipt_do_table+0x286/0x710 [ip_tables]\n[74830.700758] ? ip6_route_input+0x19d/0x240\n[74830.701752] nf_hook_slow+0x3f/0xb0\n[74830.702678] input_action_end_dx4+0x19b/0x1e0\n[74830.703735] ? input_action_end_t+0xe0/0xe0\n[74830.704734] seg6_local_input_core+0x2d/0x60\n[74830.705782] lwtunnel_input+0x5b/0xb0\n[74830.706690] __netif_receive_skb_one_core+0x63/0xa0\n[74830.707825] process_backlog+0x99/0x140\n[74830.709538] __napi_poll+0x2c/0x160\n[74830.710673] net_rx_action+0x296/0x350\n[74830.711860] __do_softirq+0xcb/0x2ac\n[74830.713049] do_softirq+0x63/0x90\ninput_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally\ntrigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback():\nstatic bool\nrpfilter_is_loopback(const struct sk_buff *skb,\nconst struct net_device *in)\n{\n// in is NULL\nreturn skb->pkt_type == PACKET_LOOPBACK ||\nin->flags & IFF_LOOPBACK;\n}

See more information about CVE-2024-40957 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Local network Attack Complexity: Low
Privileges Required: Low User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (kernel-uek)ELSA-2024-126182024-09-12
Oracle Linux version 9 (kernel)ELSA-2024-59282024-08-28
Oracle Linux version 9 (kernel-uek)ELSA-2024-126182024-09-12


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete