CVE-2024-36902 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

syzbot is able to trigger the following crash [1],
caused by unsafe ip6_dst_idev() use.

Indeed ip6_dst_idev() can return NULL, and must always be checked.

[1]

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline]
ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline]
sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline]
__sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline]
__se_sys_connect net/socket.c:2072 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/04/2025

The vulnerability described in CVE-2024-36902 resides within the Linux kernel's IPv6 forwarding and routing subsystem, specifically in the fib6_rules.c module. This flaw manifests as a potential NULL pointer dereference in the fib6_rule_action() function, which is triggered during IPv6 routing rule processing. The issue was identified through automated testing by syzbot, a kernel fuzzer, which demonstrated that an unsafe invocation of the ip6_dst_idev() helper function could lead to a general protection fault, indicating a critical kernel memory access violation. The root cause lies in the improper handling of a return value that can legitimately be NULL, a scenario that violates fundamental defensive programming principles and leads to system instability or potential privilege escalation.

The technical mechanism behind this vulnerability involves the fib6_rule_action() function in the IPv6 routing table management code. When processing routing rules for IPv6 destinations, the function calls ip6_dst_idev() to retrieve the network device associated with a destination. However, this helper function can return NULL under certain conditions, such as when the routing table entry is malformed or when the network interface context is not properly initialized. The lack of a NULL check before dereferencing this pointer results in a kernel crash, manifesting as a KASAN (Kernel Address Sanitizer) null pointer dereference error. This pattern aligns with CWE-476, which addresses the use of null pointers in software, and represents a classic example of improper error handling in kernel space. The crash occurs at a specific memory address, indicating that the kernel attempted to access an invalid memory location, which is a direct consequence of not validating the return value from ip6_dst_idev().

The operational impact of this vulnerability extends beyond simple system crashes, as it can be exploited to cause denial of service or potentially enable more sophisticated attacks within kernel space. The attack surface is primarily through IPv6 routing operations, particularly those involving SCTP (Stream Control Transmission Protocol) connections, which are used in various network services. The call stack shows that the vulnerability can be triggered through socket connection operations, suggesting that a malicious actor could potentially exploit this issue by initiating network connections to cause the kernel to process malformed IPv6 routing rules. This behavior places the vulnerability within ATT&CK framework domain of privilege escalation and denial of service, as it can be leveraged to disrupt network services or potentially gain unauthorized access to system resources. The vulnerability is particularly concerning because it affects core kernel networking functionality and can be triggered without requiring special privileges, making it a high-severity issue for all systems running affected kernel versions.

Mitigation strategies for CVE-2024-36902 must focus on ensuring proper validation of function return values before dereferencing pointers. The most direct fix involves adding a NULL check for the return value of ip6_dst_idev() in the fib6_rule_action() function, which is consistent with best practices for kernel development and defensive programming. System administrators should immediately apply the patched kernel version that resolves this issue, as no reliable workarounds exist that do not involve modifying kernel code. The fix should be deployed across all systems running Linux kernels that are affected by this vulnerability, particularly those handling IPv6 traffic or using SCTP networking protocols. Additionally, monitoring for kernel oops messages or system crashes related to IPv6 routing tables should be implemented to detect potential exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit exposure, as the vulnerability can be triggered through normal network operations and does not require elevated privileges to exploit. The patch addresses the core issue by ensuring that all potential NULL return values from ip6_dst_idev() are properly validated before use, thereby preventing the NULL pointer dereference that leads to the kernel crash.

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00289

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!