| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011515-CVE-2024-57900-72ad@gregkh>
Date: Wed, 15 Jan 2025 14:06:23 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-57900: ila: serialize calls to nf_register_net_hooks()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ila: serialize calls to nf_register_net_hooks()
syzbot found a race in ila_add_mapping() [1]
commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner")
attempted to fix a similar issue.
Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.
Add a mutex to make sure at most one thread is calling nf_register_net_hooks().
[1]
BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501
CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
__rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
process_backlog+0x443/0x15f0 net/core/dev.c:6117
__napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
napi_poll net/core/dev.c:6952 [inline]
net_rx_action+0xa94/0x1010 net/core/dev.c:7074
handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
The Linux kernel CVE team has assigned CVE-2024-57900 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.4.289 with commit 1638f430f8900f2375f5de45508fbe553997e190
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.10.233 with commit d3017895e393536b234cf80a83fc463c08a28137
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 5.15.176 with commit ad0677c37c14fa28913daea92d139644d7acf04e
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.1.124 with commit eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.6.70 with commit 17e8fa894345e8d2c7a7642482267b275c3d4553
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.12.9 with commit 3d1b63cf468e446b9feaf4e4e73182b9cc82f460
Issue introduced in 4.5 with commit 7f00feaf107645d95a6d87e99b4d141ac0a08efd and fixed in 6.13-rc6 with commit 260466b576bca0081a7d4acecc8e93687aa22d0e
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-57900
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ipv6/ila/ila_xlat.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/1638f430f8900f2375f5de45508fbe553997e190
https://git.kernel.org/stable/c/d3017895e393536b234cf80a83fc463c08a28137
https://git.kernel.org/stable/c/ad0677c37c14fa28913daea92d139644d7acf04e
https://git.kernel.org/stable/c/eba25e21dce7ec70e2b3f121b2f3a25a4ec43eca
https://git.kernel.org/stable/c/17e8fa894345e8d2c7a7642482267b275c3d4553
https://git.kernel.org/stable/c/3d1b63cf468e446b9feaf4e4e73182b9cc82f460
https://git.kernel.org/stable/c/260466b576bca0081a7d4acecc8e93687aa22d0e
Powered by blists - more mailing lists