Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] hooks_validate net/netfilter/core.c:171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline] __se_sys_setsockopt net/socket.c:2188 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK> The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated---

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.8 HIGH

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/05f7927b25d2635e87267ff6c79db79fb46cf313	Patch
https://git.kernel.org/stable/c/49c24579cec41e32f13d57b337fd28fb208d4a5b	Patch
https://git.kernel.org/stable/c/56763f12b0f02706576a088e85ef856deacc98a0	Patch
https://git.kernel.org/stable/c/5a8076e98dde17224dd47283b894a8b1dbe1bc72	Patch
https://git.kernel.org/stable/c/8b0142c4143c1ca297dcf2c0cdd045d65dae2344	Patch
https://git.kernel.org/stable/c/bd61f192a339b1095dfd6d56073a5265934c2979	Patch
https://git.kernel.org/stable/c/bdd8fc1b826e6f23963f5bef3f7431c6188ec954	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 8/27/2024 12:12:47 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 652 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.14 up to (excluding) 4.14.270 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.233 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.183 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.104 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions fro
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-416
Changed	Reference Type	https://git.kernel.org/stable/c/05f7927b25d2635e87267ff6c79db79fb46cf313 No Types Assigned	https://git.kernel.org/stable/c/05f7927b25d2635e87267ff6c79db79fb46cf313 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/49c24579cec41e32f13d57b337fd28fb208d4a5b No Types Assigned	https://git.kernel.org/stable/c/49c24579cec41e32f13d57b337fd28fb208d4a5b Patch
Changed	Reference Type	https://git.kernel.org/stable/c/56763f12b0f02706576a088e85ef856deacc98a0 No Types Assigned	https://git.kernel.org/stable/c/56763f12b0f02706576a088e85ef856deacc98a0 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/5a8076e98dde17224dd47283b894a8b1dbe1bc72 No Types Assigned	https://git.kernel.org/stable/c/5a8076e98dde17224dd47283b894a8b1dbe1bc72 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/8b0142c4143c1ca297dcf2c0cdd045d65dae2344 No Types Assigned	https://git.kernel.org/stable/c/8b0142c4143c1ca297dcf2c0cdd045d65dae2344 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bd61f192a339b1095dfd6d56073a5265934c2979 No Types Assigned	https://git.kernel.org/stable/c/bd61f192a339b1095dfd6d56073a5265934c2979 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bdd8fc1b826e6f23963f5bef3f7431c6188ec954 No Types Assigned	https://git.kernel.org/stable/c/bdd8fc1b826e6f23963f5bef3f7431c6188ec954 Patch

New CVE Received by NIST 8/21/2024 10:15:05 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook
Added	Reference		kernel.org https://git.kernel.org/stable/c/05f7927b25d2635e87267ff6c79db79fb46cf313 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/49c24579cec41e32f13d57b337fd28fb208d4a5b [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/56763f12b0f02706576a088e85ef856deacc98a0 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/5a8076e98dde17224dd47283b894a8b1dbe1bc72 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/8b0142c4143c1ca297dcf2c0cdd045d65dae2344 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/bd61f192a339b1095dfd6d56073a5265934c2979 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/bdd8fc1b826e6f23963f5bef3f7431c6188ec954 [No types assigned]