CVE-2024-46782

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-46782
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-46782.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46782
Related
Published
2024-09-18T08:15:05Z
Modified
2024-10-07T19:49:21.214631Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ila: call nfunregisternet_hooks() sooner

syzbot found an use-after-free Read in ilanfinput [1]

Issue here is that ilaxlatexitnet() frees the rhashtable, then call nfunregisternethooks().

It should be done in the reverse way, with a synchronize_rcu().

This is a good match for a pre_exit() method.

[1] BUG: KASAN: use-after-free in rhtkeyhashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in _rhashtablelookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtablelookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtablelookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16

CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 rhtkeyhashfn include/linux/rhashtable.h:159 [inline] _rhashtablelookup include/linux/rhashtable.h:604 [inline] rhashtablelookup include/linux/rhashtable.h:646 [inline] rhashtablelookupfast+0x77a/0x9b0 include/linux/rhashtable.h:672 ilalookupwildcards net/ipv6/ila/ilaxlat.c:132 [inline] ilaxlataddr net/ipv6/ila/ilaxlat.c:652 [inline] ilanfinput+0x1fe/0x3c0 net/ipv6/ila/ilaxlat.c:190 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xc3/0x220 net/netfilter/core.c:626 nfhook include/linux/netfilter.h:269 [inline] NFHOOK+0x29e/0x450 include/linux/netfilter.h:312 _netifreceiveskbonecore net/core/dev.c:5661 [inline] _netifreceiveskb+0x1ea/0x650 net/core/dev.c:5775 processbacklog+0x662/0x15b0 net/core/dev.c:6108 _napipoll+0xcb/0x490 net/core/dev.c:6772 napipoll net/core/dev.c:6841 [inline] netrxaction+0x89b/0x1240 net/core/dev.c:6963 handlesoftirqs+0x2c4/0x970 kernel/softirq.c:554 runksoftirqd+0xca/0x130 kernel/softirq.c:928 smpbootthreadfn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) pagetype: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected pageowner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfpmask 0x52dc0(GFPKERNEL|GFPNOWARN|GFPNORETRY|GFPCOMP|GFPZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, freets 618981657187 setpageowner include/linux/pageowner.h:32 [inline] postallochook+0x1f3/0x230 mm/pagealloc.c:1493 prepnewpage mm/pagealloc.c:1501 [inline] getpagefromfreelist+0x2e4c/0x2f10 mm/pagealloc.c:3439 allocpagesnoprof+0x256/0x6c0 mm/pagealloc.c:4695 _allocpagesnodenoprof include/linux/gfp.h:269 [inline] allocpagesnodenoprof include/linux/gfp.h:296 [inline] kmalloclargenode+0x8b/0x1d0 mm/slub.c:4103 _kmalloclargenodenoprof+0x1a/0x80 mm/slub.c:4130 _dokmallocnode mm/slub.c:4146 [inline] _kmallocnodenoprof+0x2d2/0x440 mm/slub.c:4164 _kvmallocnodenoprof+0x72/0x190 mm/util.c:650 buckettablealloc lib/rhashtable.c:186 [inline] rhashtableinitnoprof+0x534/0xa60 lib/rhashtable.c:1071 ilaxlatinitnet+0xa0/0x110 net/ipv6/ila/ilaxlat.c:613 ops_ini ---truncated---

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.226-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1
5.10.205-1
5.10.205-2
5.10.209-1
5.10.209-2
5.10.216-1
5.10.218-1
5.10.221-1
5.10.223-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.112-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.10.11-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}