{ "threat_severity" : "Moderate", "public_date" : "2024-07-12T00:00:00Z", "bugzilla" : { "description" : "kernel: ipv6: prevent possible NULL dereference in rt6_probe()", "id" : "2297544", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297544" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nipv6: prevent possible NULL dereference in rt6_probe()\nsyzbot caught a NULL dereference in rt6_probe() [1]\nBail out if __in6_dev_get() returns NULL.\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]\nCPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\nRIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]\nRIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758\nCode: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19\nRSP: 0018:ffffc900034af070 EFLAGS: 00010203\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000\nRDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c\nRBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a\nR13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000\nFS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nrt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784\nnexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496\n__find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825\nfind_rr_leaf net/ipv6/route.c:853 [inline]\nrt6_select net/ipv6/route.c:897 [inline]\nfib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195\nip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231\npol_lookup_func include/net/ip6_fib.h:616 [inline]\nfib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121\nip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]\nip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651\nip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147\nip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250\nrawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898\ninet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\nsock_write_iter+0x4b8/0x5c0 net/socket.c:1160\nnew_sync_write fs/read_write.c:497 [inline]\nvfs_write+0x6b6/0x1140 fs/read_write.c:590\nksys_write+0x1f8/0x260 fs/read_write.c:643\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f", "A vulnerability was found in the Linux kernel's IPv6 routing component, where a NULL dereference occurs in the rt6_probe() function. This issue happens when the function attempts to access a resource without confirming its availability, leading to potential crashes." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7001", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7000", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.22.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8617", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.42.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8613", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.90.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-10-30T00:00:00Z", "advisory" : "RHSA-2024:8614", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.90.1.rt14.375.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40960\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40960\nhttps://lore.kernel.org/linux-cve-announce/2024071225-CVE-2024-40960-d46f@gregkh/T" ], "name" : "CVE-2024-40960", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }