Description

In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm real_dev null pointer dereference We shouldn't set real_dev to NULL because packets can be in transit and xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume real_dev is set. Example trace: kernel: BUG: unable to handle page fault for address: 0000000000001030 kernel: bond0: (slave eni0np1): making interface the new active one kernel: #PF: supervisor write access in kernel mode kernel: #PF: error_code(0x0002) - not-present page kernel: PGD 0 P4D 0 kernel: Oops: 0002 [#1] PREEMPT SMP kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12 kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f kernel: bond0: (slave eni0np1): making interface the new active one kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60 kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00 kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014 kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000 kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000 kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0 kernel: bond0: (slave eni0np1): making interface the new active one kernel: Call Trace: kernel: <TASK> kernel: ? __die+0x1f/0x60 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? page_fault_oops+0x142/0x4c0 kernel: ? do_user_addr_fault+0x65/0x670 kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50 kernel: bond0: (slave eni0np1): making interface the new active one kernel: ? exc_page_fault+0x7b/0x180 kernel: ? asm_exc_page_fault+0x22/0x30 kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): making interface the new active one kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding] kernel: xfrm_output+0x61/0x3b0 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ip_push_pending_frames+0x56/0x80

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  5.5 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21	Patch
https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294	Patch
https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548	Patch
https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f	Patch
https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436	Patch
https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-476	NULL Pointer Dereference	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 9/06/2024 12:31:22 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		NIST CWE-476
Added	CPE Configuration		Record truncated, showing 500 of 763 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.9 up to (excluding) 5.10.225 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.166 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.107 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.48 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (
Changed	Reference Type	https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21 No Types Assigned	https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294 No Types Assigned	https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548 No Types Assigned	https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f No Types Assigned	https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f Patch
Changed	Reference Type	https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436 No Types Assigned	https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44 No Types Assigned	https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44 Patch

New CVE Received from kernel.org 9/04/2024 4:15:08 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 2833 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm real_dev null pointer dereference We shouldn't set real_dev to NULL because packets can be in transit and xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume real_dev is set. Example trace: kernel: BUG: unable to handle page fault for address: 0000000000001030 kernel: bond0: (slave eni0np1): making interface the new active one kernel: #PF: supervisor write access in kernel mode kernel
Added	Reference		kernel.org https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44 [No types assigned]