{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv6: fix possible race in __fib6_drop_pcpu_from()", "id" : "2297489", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297489" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: fix possible race in __fib6_drop_pcpu_from()\nsyzbot found a race in __fib6_drop_pcpu_from() [1]\nIf compiler reads more than once (*ppcpu_rt),\nsecond read could read NULL, if another cpu clears\nthe value in rt6_get_pcpu_route().\nAdd a READ_ONCE() to prevent this race.\nAlso add rcu_read_lock()/rcu_read_unlock() because\nwe rely on RCU protection while dereferencing pcpu_rt.\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]\nCPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nWorkqueue: netns cleanup_net\nRIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984\nCode: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48\nRSP: 0018:ffffc900040df070 EFLAGS: 00010206\nRAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16\nRDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091\nRBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007\nR10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8\nR13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]\nfib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]\nfib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038\nfib6_del_route net/ipv6/ip6_fib.c:1998 [inline]\nfib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043\nfib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205\nfib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127\nfib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175\nfib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255\n__fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271\nrt6_sync_down_dev net/ipv6/route.c:4906 [inline]\nrt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911\naddrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855\naddrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778\nnotifier_call_chain+0xb9/0x410 kernel/notifier.c:93\ncall_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992\ncall_netdevice_notifiers_extack net/core/dev.c:2030 [inline]\ncall_netdevice_notifiers net/core/dev.c:2044 [inline]\ndev_close_many+0x333/0x6a0 net/core/dev.c:1585\nunregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193\nunregister_netdevice_many net/core/dev.c:11276 [inline]\ndefault_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759\nops_exit_list+0x128/0x180 net/core/net_namespace.c:178\ncleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\nprocess_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\nprocess_scheduled_works kernel/workqueue.c:3312 [inline]\nworker_thread+0x6c8/0xf70 kernel/workqueue.c:3393\nkthread+0x2c1/0x3a0 kernel/kthread.c:389\nret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", "A vulnerability was found in the Linux kernel's IPv6 routing component in the __fib6_drop_pcpu_from() function, resulting in a race condition, this vulnerability occurs when the multiple CPUs access and modify a pointer simultaneously, leading to a potential null pointer dereference." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-08-28T00:00:00Z", "advisory" : "RHSA-2024:5928", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.33.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40905\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40905\nhttps://lore.kernel.org/linux-cve-announce/2024071208-CVE-2024-40905-44f9@gregkh/T" ], "name" : "CVE-2024-40905", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }