{ "threat_severity" : "Moderate", "public_date" : "2024-04-17T00:00:00Z", "bugzilla" : { "description" : "kernel: net/ipv6: avoid possible UAF in ip6_route_mpath_notify()", "id" : "2275761", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2275761" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0x167/0x540 mm/kasan/report.c:488\nkasan_report+0x142/0x180 mm/kasan/report.c:601\nrt6_fill_node+0x1460/0x1ac0\ninet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\nip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\nip6_route_multipath_add net/ipv6/route.c:5404 [inline]\ninet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\nrtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\nnetlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\nnetlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\nnetlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\nnetlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:745\n____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n___sys_sendmsg net/socket.c:2638 [inline]\n__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\ndo_syscall_64+0xf9/0x240\nentry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n\nAllocated by task 23037:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\nkasan_kmalloc include/linux/kasan.h:211 [inline]\n__do_kmalloc_node mm/slub.c:3981 [inline]\n__kmalloc+0x22e/0x490 mm/slub.c:3994\nkmalloc include/linux/slab.h:594 [inline]\nkzalloc include/linux/slab.h:711 [inline]\nfib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\nip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\nip6_route_multipath_add net/ipv6/route.c:5298 [inline]\ninet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\nrtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\nnetlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\nnetlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\nnetlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\nnetlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0x221/0x270 net/socket.c:745\n____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n___sys_sendmsg net/socket.c:2638 [inline]\n__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\ndo_syscall_64+0xf9/0x240\nentry_SYSCALL_64_after_hwframe+0x6f/0x77\nFreed by task 16:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\npoison_slab_object+0xa6/0xe0 m\n---truncated---", "A use-after-free flaw was found in ip6_route_mpath_notify() in the Linux kernel. This may lead to a crash." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5102", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-08-08T00:00:00Z", "advisory" : "RHSA-2024:5101", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.16.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2024-07-29T00:00:00Z", "advisory" : "RHSA-2024:4902", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.113.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2024-07-29T00:00:00Z", "advisory" : "RHSA-2024:4902", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.113.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2024-07-29T00:00:00Z", "advisory" : "RHSA-2024:4902", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.113.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-09-03T00:00:00Z", "advisory" : "RHSA-2024:6206", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.70.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-07-31T00:00:00Z", "advisory" : "RHSA-2024:4928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.28.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-07-31T00:00:00Z", "advisory" : "RHSA-2024:4928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.28.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-15T00:00:00Z", "advisory" : "RHSA-2024:4533", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.73.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-07-15T00:00:00Z", "advisory" : "RHSA-2024:4554", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.73.1.rt14.358.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26852\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26852\nhttps://lore.kernel.org/linux-cve-announce/2024041723-CVE-2024-26852-0057@gregkh/T" ], "name" : "CVE-2024-26852", "csaw" : false }