Description

In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.8 HIGH

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466	Patch
https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2	Patch
https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf	Patch
https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4	Patch
https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c	Patch
https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6	Patch
https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673	Patch
https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-416	Use After Free	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 9/23/2024 12:32:04 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Record truncated, showing 500 of 1092 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.5 up to (excluding) 4.19.322 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.284 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.226 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.167 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-416
Changed	Reference Type	https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466 No Types Assigned	https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2 No Types Assigned	https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf No Types Assigned	https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf Patch
Changed	Reference Type	https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4 No Types Assigned	https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c No Types Assigned	https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c Patch
Changed	Reference Type	https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6 No Types Assigned	https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673 No Types Assigned	https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc No Types Assigned	https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc Patch

New CVE Received by NIST 9/18/2024 4:15:05 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free i
Added	Reference		kernel.org https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc [No types assigned]