CVE-2024-40960 in Linuxinfo

Summary

by MITRE • 07/12/2024

In the Linux kernel, the following vulnerability has been resolved:

ipv6: prevent possible NULL dereference in rt6_probe()

syzbot caught a NULL dereference in rt6_probe() [1]

Bail out if __in6_dev_get() returns NULL.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758 Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19 RSP: 0018:ffffc900034af070 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000 RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000 FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784 nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496 __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825 find_rr_leaf net/ipv6/route.c:853 [inline]
rt6_select net/ipv6/route.c:897 [inline]
fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195 ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231 pol_lookup_func include/net/ip6_fib.h:616 [inline]
fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651 ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147 ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250 rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898 inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x4b8/0x5c0 net/socket.c:1160 new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590 ksys_write+0x1f8/0x260 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/27/2024

The vulnerability described in CVE-2024-40960 pertains to a potential NULL dereference in the Linux kernel's IPv6 routing subsystem, specifically within the rt6_probe() function. This flaw arises when the function __in6_dev_get() returns a NULL pointer, which is not properly handled before being dereferenced. The issue was identified through automated fuzzing by syzbot, a tool designed to detect kernel-level vulnerabilities. The crash occurs during IPv6 packet routing operations, particularly when handling nexthop lookups and route resolution. The kernel's memory safety mechanism KASAN detected the null pointer dereference, manifesting as a general protection fault during execution of the rt6_probe function at line 656 in net/ipv6/route.c. The call stack indicates the error originates from a chain of function calls involving nexthop resolution, route selection, and IPv6 routing table lookups, ultimately reaching rawv6_sendmsg which triggers the problematic path. This vulnerability presents a significant risk as it can lead to kernel panics or system crashes, potentially enabling denial-of-service attacks against systems running affected kernel versions.

The technical root cause of this vulnerability aligns with CWE-476, which describes NULL Pointer Dereference, a common class of software defects where a program attempts to access memory through a pointer that has not been initialized or has been set to NULL. The flaw occurs in the IPv6 routing subsystem where the rt6_probe() function fails to validate the return value of __in6_dev_get() before using it. The function in question is responsible for probing IPv6 routes and determining their validity, but when the underlying network device information cannot be retrieved, the code path does not adequately handle the NULL return case. This behavior violates the principle of defensive programming, where all function return values should be validated before use. The specific context of the vulnerability involves IPv6 routing table management, where the kernel attempts to locate and validate routing information for IPv6 addresses. When a routing lookup fails to return valid device context, the subsequent dereference of the NULL pointer causes an immediate system crash. The error trace shows the crash occurs during a raw IPv6 socket send operation, suggesting that malicious actors could potentially trigger this condition through crafted network traffic, making the vulnerability exploitable in a network-based scenario.

The operational impact of this vulnerability extends beyond simple system instability, as it can result in complete system downtime and potential data loss. When a kernel panic occurs due to this NULL dereference, the system becomes unresponsive and requires manual intervention or reboot to restore functionality. This is particularly concerning in production environments where continuous availability is critical. The vulnerability affects systems using kernel versions that include the problematic code path, which typically includes the 6.10 kernel series and related stable releases. The exploitation scenario involves triggering an IPv6 routing operation that leads to the specific code path where the NULL pointer is dereferenced, which could be achieved through network-based attacks or by crafting specific routing table configurations. The vulnerability's impact is rated as high severity due to its potential to cause system crashes and its accessibility through network operations. Organizations running IPv6-enabled systems are particularly at risk, as the vulnerability can be triggered during normal network operations involving IPv6 routing. The potential for remote exploitation exists if attackers can influence routing decisions or send specific IPv6 packets that lead to this code path.

Mitigation strategies for CVE-2024-40960 should prioritize applying the official kernel patch that prevents the NULL dereference by adding proper validation checks before using the return value from __in6_dev_get(). This patch implements a conditional check that bails out early if the function returns NULL, preventing the subsequent dereference operation. System administrators should update to kernel versions that include the fix, typically kernel versions 6.10.1 or later, or apply the relevant security patches provided by their distribution vendors. In environments where immediate patching is not feasible, operational mitigations include monitoring for unusual network traffic patterns that might trigger the vulnerability, implementing network segmentation to limit exposure, and ensuring robust system monitoring to detect potential crashes. The patch addresses the vulnerability at the source by ensuring that all return values from kernel functions are properly validated before use, aligning with the ATT&CK technique T1499.004 which involves network denial of service through kernel-level exploitation. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security updates, particularly for critical kernel vulnerabilities. Regular security audits and vulnerability assessments should be conducted to identify similar patterns in other kernel subsystems that might be susceptible to similar NULL pointer dereference issues. The fix demonstrates the importance of defensive programming practices in kernel development, where all function return values must be validated to prevent potential crashes and security incidents.

Responsible

Linux

Reservation

07/12/2024

Disclosure

07/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00268

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!