CVE-2024-40959 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64 Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00 RSP: 0018:ffffc90000117378 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7 RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98 RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000 R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541 xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201 xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309 ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256 send6+0x611/0xd20 drivers/net/wireguard/socket.c:139 wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178 wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability described in CVE-2024-40959 resides within the Linux kernel's implementation of the IPv6 IPsec framework, specifically in the xfrm6_get_saddr() function located in net/ipv6/xfrm6_policy.c. This flaw manifests as a null pointer dereference occurring when ip6_dst_idev() returns NULL, which the xfrm6_get_saddr() function fails to properly handle. The issue was identified through systematic fuzzing by syzbot, a kernel fuzzer designed to detect memory safety issues in the Linux kernel. The reported general protection fault indicates that the kernel attempted to access a non-canonical memory address, resulting in a kernel oops and potential system instability or crash.
The technical root cause of this vulnerability stems from a lack of proper null check in the xfrm6_get_saddr() function. The function relies on ip6_dst_idev() to obtain the network device information associated with an IPv6 destination, but this helper function can legitimately return NULL in certain network configurations or edge cases. When this happens, the calling function does not validate the return value before proceeding with operations that assume a valid device pointer, leading to an invalid memory access pattern. This behavior aligns with CWE-476, which defines null pointer dereference as a condition where a null value is used as if it were a valid pointer reference. The specific memory access pattern observed in the kernel crash stack trace shows that the kernel attempted to dereference a null pointer at address 0xdffffc0000000000, which is characteristic of a null pointer dereference in kernel space.
The operational impact of this vulnerability is significant as it can lead to kernel panics and system crashes, particularly in environments utilizing WireGuard VPN implementations that rely on the XFRM subsystem for IPsec policy handling. The vulnerability is triggered during network packet processing when the kernel attempts to resolve IPsec security associations for IPv6 traffic, specifically during handshake initiation in WireGuard implementations. The call stack demonstrates that the issue originates from WireGuard socket operations and propagates through the XFRM policy resolution chain, indicating that any system running WireGuard or similar IPsec implementations could be affected. This makes the vulnerability particularly concerning in network infrastructure and security-sensitive environments where such protocols are commonly deployed.
Mitigation strategies for this vulnerability should focus on ensuring that all kernel code properly validates return values from helper functions that may return NULL. The recommended fix involves modifying the xfrm6_get_saddr() function to check the return value of ip6_dst_idev() and handle the NULL case appropriately, either by returning an error code or by implementing alternative logic paths. This aligns with the principle of defensive programming and addresses the fundamental issue identified in the kernel code. System administrators should prioritize applying the patched kernel version as soon as possible, particularly in production environments running WireGuard or other IPsec-based network protocols. Additionally, monitoring for kernel oops messages and system crashes related to XFRM and IPv6 operations can help identify systems that may be vulnerable to this issue. The vulnerability demonstrates the importance of comprehensive null pointer validation in kernel space, especially in complex subsystems like IPsec policy handling where multiple layers of network abstraction exist.