CVE-2024-44987

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-44987
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-44987.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-44987
Downstream
Related
Published
2024-09-04T19:54:35.510Z
Modified
2025-11-27T02:34:00.738219Z
Summary
ipv6: prevent UAF in ip6_send_skb()
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent UAF in ip6sendskb()

syzbot reported an UAF in ip6sendskb() [1]

After ip6localout() has returned, we no longer can safely dereference rt, unless we hold rcureadlock().

A similar issue has been fixed in commit a688caa34beb ("ipv6: take rcu lock in rawv6sendhdrinc()")

Another potential issue in ip6finishoutput2() is handled in a separate patch.

[1] BUG: KASAN: slab-use-after-free in ip6sendskb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530

CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 ip6sendskb+0x18d/0x230 net/ipv6/ip6output.c:1964 rawv6pushpendingframes+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x1a6/0x270 net/socket.c:745 sockwriteiter+0x2dd/0x400 net/socket.c:1160 doiterreadvwritev+0x60a/0x890 vfswritev+0x37c/0xbb0 fs/readwrite.c:971 dowritev+0x1b1/0x350 fs/readwrite.c:1018 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 </TASK>

Allocated by task 6530: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 unpoisonslabobject mm/kasan/common.c:312 [inline] kasanslaballoc+0x66/0x80 mm/kasan/common.c:338 kasanslaballoc include/linux/kasan.h:201 [inline] slabpostallochook mm/slub.c:3988 [inline] slaballocnode mm/slub.c:4037 [inline] kmemcacheallocnoprof+0x135/0x2a0 mm/slub.c:4044 dstalloc+0x12b/0x190 net/core/dst.c:89 ip6blackholeroute+0x59/0x340 net/ipv6/route.c:2670 makeblackhole net/xfrm/xfrmpolicy.c:3120 [inline] xfrmlookuproute+0xd1/0x1c0 net/xfrm/xfrmpolicy.c:3313 ip6dstlookupflow+0x13e/0x180 net/ipv6/ip6output.c:1257 rawv6sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0x1a6/0x270 net/socket.c:745 _syssendmsg+0x525/0x7d0 net/socket.c:2597 _syssendmsg net/socket.c:2651 [inline] _syssendmsg+0x2b0/0x3a0 net/socket.c:2680 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Freed by task 45: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:579 poisonslabobject+0xe0/0x150 mm/kasan/common.c:240 _kasanslabfree+0x37/0x60 mm/kasan/common.c:256 kasanslabfree include/linux/kasan.h:184 [inline] slabfreehook mm/slub.c:2252 [inline] slabfree mm/slub.c:4473 [inline] kmemcachefree+0x145/0x350 mm/slub.c:4548 dstdestroy+0x2ac/0x460 net/core/dst.c:124 rcudobatch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/44xxx/CVE-2024-44987.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
571567e0277008459750f0728f246086b2659429
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
24e93695b1239fbe4c31e224372be77f82dab69a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
9a3e55afa95ed4ac9eda112d4f918af645d72f25
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
e44bd76dd072756e674f45c5be00153f4ded68b2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0625491493d9000e4556bf566d205c28c8e7dc4e
Fixed
faa389b2fbaaec7fd27a390b4896139f9da662e3

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.32
Fixed
4.19.321
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.283
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.225
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.166
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.107
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.48
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.7