CVE-2024-36901 - Linux Kernel IPv6 NULL Dereference Vulnerability in ip6_output()

In the Linux kernel, a vulnerability has been resolved in the IPv6 networking stack that could potentially result in a NULL dereference, leading to a general protection fault (GPF) and possibly system crashes or other unintended behavior. The affected function is ip6_output(), which is called when sending IPv6 packets from a system.

This vulnerability was found by the syzbot automated bug-finding tool, which reported the following GPF resulting from a NULL dereference when sending an IPv6 packet:

general protection fault, probably for non-canonical address xdffffc00000000bc: 000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [x00000000000005e-x00000000000005e7]

The root cause of this issue is that the ip6_dst_idev() function can return NULL in certain cases. While most parts of the IPv6 stack handle a NULL idev correctly, this was not the case in ip6_output(), where the NULL dereference would occur.

To resolve this issue, the Linux kernel developers have introduced checks for a NULL idev in the vulnerable ip6_output() function. This prevents the NULL dereference from occurring and protects the system from potential crashes or other unintended behavior due to this vulnerability.

The fix for this vulnerability can be found in the following commit

Users and administrators of Linux systems that utilize IPv6 networking are encouraged to update their kernel to a version that includes the fix or apply the patch manually.

Original references

- syzbot report
- Linux kernel mailing list discussion
- Patch for the vulnerability

Exploit details

The exploit would involve triggering the NULL dereference in the ip6_output() function by crafting specific IPv6 packets or scenarios where ip6_dst_idev() would return NULL. The exact details of the exploit are not provided here, as it varies depending on the specific kernel configuration and environment. However, potential attackers would need to craft such packets and cause the affected system to send them in order to trigger this vulnerability. The impact of a successful exploit could include system crashes or other unintentional behaviors resulting from the GPF caused by the NULL dereference.

Timeline

Published on: 05/30/2024 16:15:13 UTC
Last modified on: 08/02/2024 03:43:49 UTC