{ "threat_severity" : "Low", "public_date" : "2024-03-18T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work", "id" : "2270133", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270133" }, "cvss3" : { "cvss3_base_score" : "2.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-414", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work\nidev->mc_ifc_count can be written over without proper locking.\nOriginally found by syzbot [1], fix this issue by encapsulating calls\nto mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with\nmutex_lock() and mutex_unlock() accordingly as these functions\nshould only be called with mc_lock per their declarations.\n[1]\nBUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work\nwrite to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:\nmld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]\nipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725\naddrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949\naddrconf_notify+0x310/0x980\nnotifier_call_chain kernel/notifier.c:93 [inline]\nraw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461\n__dev_notify_flags+0x205/0x3d0\ndev_change_flags+0xab/0xd0 net/core/dev.c:8685\ndo_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916\nrtnl_group_changelink net/core/rtnetlink.c:3458 [inline]\n__rtnl_newlink net/core/rtnetlink.c:3717 [inline]\nrtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754\nrtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558\nnetlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545\nrtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576\nnetlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\nnetlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368\nnetlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910\n...\nwrite to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:\nmld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653\nprocess_one_work kernel/workqueue.c:2627 [inline]\nprocess_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700\nworker_thread+0x525/0x730 kernel/workqueue.c:2781\n..." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26631\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26631" ], "name" : "CVE-2024-26631", "csaw" : false }