CVE-2024-46782: ila: call nf_unregister_net_hooks() sooner
First published: Wed Sep 18 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=4.5<4.19.322 | |
| Linux Kernel | >=4.20<5.4.284 | |
| Linux Kernel | >=5.5<5.10.226 | |
| Linux Kernel | >=5.11<5.15.167 | |
| Linux Kernel | >=5.16<6.1.110 | |
| Linux Kernel | >=6.2<6.6.51 | |
| Linux Kernel | >=6.7<6.10.10 | |
| Linux Kernel | =6.11-rc1 | |
| Linux Kernel | =6.11-rc2 | |
| Linux Kernel | =6.11-rc3 | |
| Linux Kernel | =6.11-rc4 | |
| Linux Kernel | =6.11-rc5 | |
| Linux Kernel | =6.11-rc6 | |
| debian/linux | <=5.10.223-1 | 5.10.234-1 6.1.129-1 6.1.133-1 6.12.22-1 6.12.25-1 |
| debian/linux-6.1 | 6.1.129-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466
- https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2
- https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf
- https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4
- https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c
- https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6
- https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673
- https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46782
- https://nvd.nist.gov/vuln/detail/CVE-2024-46782
- https://launchpad.net/bugs/cve/CVE-2024-46782
- https://security-tracker.debian.org/tracker/CVE-2024-46782
- https://ubuntu.com/security/CVE-2024-46782
- https://git.kernel.org/linus/031ae72825cef43e4650140b800ad58bf7a6a466
Frequently Asked Questions
What is the severity of CVE-2024-46782?
The severity of CVE-2024-46782 is not explicitly stated in the provided information.
How do I fix CVE-2024-46782?
To fix CVE-2024-46782, upgrade to the versions of the Linux kernel listed in the remedy section, such as 5.10.226-1 or 6.1.123-1.
Which Linux kernel versions are affected by CVE-2024-46782?
CVE-2024-46782 affects various versions of the Linux kernel between 4.5 and 6.10.10, including specific versions like 5.10.223-1 and 6.12.11-1.
What type of vulnerability is CVE-2024-46782?
CVE-2024-46782 is a use-after-free vulnerability that can lead to reading invalid memory.
How was CVE-2024-46782 discovered?
CVE-2024-46782 was discovered by syzbot, which reported the use-after-free issue in the ila_nf_input function.
- agent/title
- agent/first-publish-date
- agent/type
- agent/severity
- agent/remedy
- agent/weakness
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.5
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.11-rc1
- version/linux kernel/6.11-rc2
- version/linux kernel/6.11-rc3
- version/linux kernel/6.11-rc4
- version/linux kernel/6.11-rc5
- version/linux kernel/6.11-rc6
- package-manager/debian