{
  "threat_severity" : "Low",
  "public_date" : "2024-05-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ipv6: Fix infinite recursion in fib6_dump_done().",
    "id" : "2281697",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281697"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: Fix infinite recursion in fib6_dump_done().\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction.  [1]\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated.  The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection.  [0]\n12:01:34 executing program 3:\nr0 = socket$nl_route(0x10, 0x3, 0x0)\nsendmsg$nl_route(r0, ... snip ...)\nrecvmmsg(r0, ... snip ...) (fail_nth: 8)\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3].  syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL.  fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\nTo avoid the issue, let's set the destructor after kzalloc().\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl (lib/dump_stack.c:117)\nshould_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\nshould_failslab (mm/slub.c:3733)\nkmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\ninet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\nrtnl_dump_all (net/core/rtnetlink.c:4029)\nnetlink_dump (net/netlink/af_netlink.c:2269)\nnetlink_recvmsg (net/netlink/af_netlink.c:1988)\n____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n___sys_recvmsg (net/socket.c:2846)\ndo_recvmmsg (net/socket.c:2943)\n__x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS:  0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n<#DF>\n</#DF>\n<TASK>\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n...\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nfib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\nnetlink_sock_destruct (net/netlink/af_netlink.c:401)\n__sk_destruct (net/core/sock.c:2177 (discriminator 2))\nsk_destruct (net/core/sock.c:2224)\n__sk_free (net/core/sock.c:2235)\nsk_free (net/core/sock.c:2246)\nprocess_one_work (kernel/workqueue.c:3259)\nworker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", "In the Linux kernel, the following vulnerability has been resolved:\nipv6: Fix infinite recursion in fib6_dump_done().\nThe Linux kernel CVE team has assigned CVE-2024-35886 to this issue.\nUpstream advisory:\nhttps://lore.kernel.org/linux-cve-announce/2024051946-CVE-2024-35886-19d4@gregkh/T" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35886\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35886\nhttps://lore.kernel.org/linux-cve-announce/2024051946-CVE-2024-35886-19d4@gregkh/T" ],
  "name" : "CVE-2024-35886",
  "csaw" : false
}