CVE CyberSecurity Database News

CVE-2024-40960 - Linux Kernel IPv6 NULL Dereference Vulnerability Resolved

Poster -

A NULL pointer dereference vulnerability exists in the Linux kernel, specifically in the IPv6 routing subsystem. The vulnerability has been resolved in the latest kernel update. The vulnerability affects the rt6_probe() function and occurs due to lack of proper checks in the code for invalid pointers or addresses. The Linux kernel developers have designed a fix to address the issue, which prevents the possible dereference by bailing out early if the __in6_dev_get() function call returns NULL.

Details of the vulnerability

The bug was caught by syzbot [1], which is an automated bug-hunting tool that continuously probes Linux kernel code for potential issues. The provided reference [1] contains additional details about the vulnerability, which is described as a "general protection fault, probably for non-canonical address." When mishandled, this type of fault can lead to kernel crashes or undefined behavior.

In this particular case, the following code snipplet from net/ipv6/route.c file in the Linux kernel demonstrates the issue:

static void rt6_probe(struct rt6_info *rt)
{
(...)
    in6_dev = __in6_dev_get(skb->dev);
    if (in6_dev && in6_dev->cnf.rtr_probe_interval)
	    rt->rt6i_flags |= RTF_PROBED;
(...)
}

In the code above, the issue is due to not checking the return value of __in6_dev_get() function call, which might return NULL. If that happens, subsequent usage of the in6_dev pointer would result in a NULL dereference.

This is how the fix has been implemented in the Linux kernel

static void rt6_probe(struct rt6_info *rt)
{
(...)
    in6_dev = __in6_dev_get(skb->dev);
    if (!in6_dev)
	    return;
    if (in6_dev->cnf.rtr_probe_interval)
	    rt->rt6i_flags |= RTF_PROBED;
(...)
}

As we can see, after the fix, the code checks if in6_dev is NULL, and if so, it bails out early by returning from the function. This check prevents any NULL dereference issues with the in6_dev pointer.

Impact

The NULL dereference in rt6_probe() function can potentially lead to kernel crashes, system instability, and even remote code execution in some cases. The issue affects any application or system using the IPv6 subsystem of the Linux kernel. It's crucial for users and system administrators to update their Linux kernel to the latest version, which includes the patch for this vulnerability.

References

1. syzbot report on NULL dereference in rt6_probe()

In conclusion, the CVE-2024-40960 vulnerability has been resolved in the latest Linux kernel by preventing possible NULL pointer dereference in the rt6_probe() function of the IPv6 routing subsystem. Update your kernel to the latest version and ensure that your system is protected against this vulnerability.

Timeline

Published on: 07/12/2024 13:15:18 UTC
Last modified on: 08/21/2024 16:53:01 UTC