cve-2024-46782
Vulnerability from cvelistv5
Published
2024-09-18 07:12
Modified
2024-12-19 09:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abfPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fcPatch
Impacted products
Vendor Product Version
Linux Linux Version: 4.5
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-46782",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-29T14:30:14.976916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-10T13:18:35.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila.h",
            "net/ipv6/ila/ila_main.c",
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "43d34110882b97ba1ec66cc8234b18983efb9abf",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "dcaf4e2216824839d26727a15b638c6a677bd9fc",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "93ee345ba349922834e6a9d1dadabaedcc12dce6",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "bda4d84ac0d5421b346faee720011f58bdb99673",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "925c18a7cff93d8a4320d652351294ff7d0ac93c",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "18a5a16940464b301ea91bf5da3a324aedb347b2",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "47abd8adddbc0aecb8f231269ef659148d5dabe4",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            },
            {
              "lessThan": "031ae72825cef43e4650140b800ad58bf7a6a466",
              "status": "affected",
              "version": "7f00feaf107645d95a6d87e99b4d141ac0a08efd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/ila/ila.h",
            "net/ipv6/ila/ila_main.c",
            "net/ipv6/ila/ila_xlat.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.322",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.284",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.226",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: call nf_unregister_net_hooks() sooner\n\nsyzbot found an use-after-free Read in ila_nf_input [1]\n\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\nthen call nf_unregister_net_hooks().\n\nIt should be done in the reverse way, with a synchronize_rcu().\n\nThis is a good match for a pre_exit() method.\n\n[1]\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\n\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook include/linux/netfilter.h:269 [inline]\n  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\n  process_backlog+0x662/0x15b0 net/core/dev.c:6108\n  __napi_poll+0xcb/0x490 net/core/dev.c:6772\n  napi_poll net/core/dev.c:6841 [inline]\n  net_rx_action+0x89b/0x1240 net/core/dev.c:6963\n  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\n  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\n  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n  kthread+0x2f0/0x390 kernel/kthread.c:389\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xbfffffff(buddy)\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\n  set_page_owner include/linux/page_owner.h:32 [inline]\n  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\n  prep_new_page mm/page_alloc.c:1501 [inline]\n  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\n  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\n  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\n  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\n  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\n  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\n  __do_kmalloc_node mm/slub.c:4146 [inline]\n  __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\n  __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\n  bucket_table_alloc lib/rhashtable.c:186 [inline]\n  rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\n  ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\n  ops_ini\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:23:02.588Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6"
        },
        {
          "url": "https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673"
        },
        {
          "url": "https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c"
        },
        {
          "url": "https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4"
        },
        {
          "url": "https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466"
        }
      ],
      "title": "ila: call nf_unregister_net_hooks() sooner",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-46782",
    "datePublished": "2024-09-18T07:12:38.652Z",
    "dateReserved": "2024-09-11T15:12:18.276Z",
    "dateUpdated": "2024-12-19T09:23:02.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-46782\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-18T08:15:05.577\",\"lastModified\":\"2024-09-23T16:32:04.373\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nila: call nf_unregister_net_hooks() sooner\\n\\nsyzbot found an use-after-free Read in ila_nf_input [1]\\n\\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\\nthen call nf_unregister_net_hooks().\\n\\nIt should be done in the reverse way, with a synchronize_rcu().\\n\\nThis is a good match for a pre_exit() method.\\n\\n[1]\\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\\n\\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\\nCall Trace:\\n \u003cTASK\u003e\\n  __dump_stack lib/dump_stack.c:93 [inline]\\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\\n  print_address_description mm/kasan/report.c:377 [inline]\\n  print_report+0x169/0x550 mm/kasan/report.c:488\\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\\n  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\\n  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\\n  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\\n  nf_hook include/linux/netfilter.h:269 [inline]\\n  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\\n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\\n  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\\n  process_backlog+0x662/0x15b0 net/core/dev.c:6108\\n  __napi_poll+0xcb/0x490 net/core/dev.c:6772\\n  napi_poll net/core/dev.c:6841 [inline]\\n  net_rx_action+0x89b/0x1240 net/core/dev.c:6963\\n  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\\n  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\\n  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\\n  kthread+0x2f0/0x390 kernel/kthread.c:389\\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n \u003c/TASK\u003e\\n\\nThe buggy address belongs to the physical page:\\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\\npage_type: 0xbfffffff(buddy)\\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\npage_owner tracks the page as freed\\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\\n  set_page_owner include/linux/page_owner.h:32 [inline]\\n  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\\n  prep_new_page mm/page_alloc.c:1501 [inline]\\n  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\\n  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\\n  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\\n  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\\n  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\\n  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\\n  __do_kmalloc_node mm/slub.c:4146 [inline]\\n  __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\\n  __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\\n  bucket_table_alloc lib/rhashtable.c:186 [inline]\\n  rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\\n  ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\\n  ops_ini\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ila: llamar a nf_unregister_net_hooks() antes de que syzbot encuentre una lectura de uso posterior a la liberaci\u00f3n en ila_nf_input [1] El problema aqu\u00ed es que ila_xlat_exit_net() libera la tabla rhash y luego llama a nf_unregister_net_hooks(). Deber\u00eda hacerse de forma inversa, con unsynchronous_rcu(). Esta es una buena combinaci\u00f3n para un m\u00e9todo pre_exit(). [1] ERROR: KASAN: use after free en rht_key_hashfn include/linux/rhashtable.h:159 [en l\u00ednea] ERROR: KASAN: use after free en __rhashtable_lookup include/linux/rhashtable.h:604 [en l\u00ednea] ERROR: KASAN: use after free en rhashtable_lookup include/linux/rhashtable.h:646 [en l\u00ednea] ERROR: KASAN: use after free en rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff888064620008 por la tarea ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 No contaminado 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:93 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [en l\u00ednea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [en l\u00ednea] __rhashtable_lookup include/linux/rhashtable.h:604 [en l\u00ednea] rhashtable_lookup include/linux/rhashtable.h:646 [en l\u00ednea] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [en l\u00ednea] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [en l\u00ednea] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [en l\u00ednea] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [en l\u00ednea] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [en l\u00ednea] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [en l\u00ednea] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  La direcci\u00f3n con errores pertenece a la p\u00e1gina f\u00edsica: page: refcount:0 mapcount:0 mapping:0000000000000000 \u00edndice:0x0 pfn:0x64620 indicadores: 0xfff00000000000(nodo=0|zona=1|lastcpupid=0x7ff) tipo_p\u00e1gina: 0xbfffffff(amigo) sin procesar: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 sin procesar: 000000000000000 000000000000003 00000000bfffffff 0000000000000000 p\u00e1gina volcada porque: kasan: se detect\u00f3 un acceso incorrecto page_owner rastrea la p\u00e1gina como liberada \u00faltima p\u00e1gina asignada mediante orden 3, migrantstype inamovible, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (ejecutor del sistema), ts 73611328570, free_ts 618981657187 establecer_propietario_de_p\u00e1gina include/linux/page_owner.h:32 [en l\u00ednea] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 preparar_nueva_p\u00e1gina mm/page_alloc.c:1501 [en l\u00ednea] obtener_p\u00e1gina_de_lista_libre+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [en l\u00ednea] alloc_pages_node_noprof include/linux/gfp.h:296 [en l\u00ednea] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [en l\u00ednea] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [en l\u00ednea] ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5\",\"versionEndExcluding\":\"4.19.322\",\"matchCriteriaId\":\"EAB8EA35-2061-4F7A-8F89-A75EBF6032D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.284\",\"matchCriteriaId\":\"6265A402-9C3C-438F-BFC5-4194B2568B85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.226\",\"matchCriteriaId\":\"864FC17C-501A-4823-A643-6F35D65D8A97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.167\",\"matchCriteriaId\":\"043405A4-25FE-45D4-A7BB-2A0C3B7D17C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.110\",\"matchCriteriaId\":\"6B1A95FC-7E7E-428B-BB59-F76640C652AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"E4529134-BAC4-4776-840B-304009E181A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"ACDEE48C-137A-4731-90D0-A675865E1BED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.