In the Linux kernel, the following vulnerability has been resolved: ipv6:
mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can
be written over without proper locking. Originally found by syzbot [1], fix
this issue by encapsulating calls to mld_ifc_stop_work() (and
mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock()
accordingly as these functions should only be called with mc_lock per their
declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work
write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:
mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280
net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949
addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93
[inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
__dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0
net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916
rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink
net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670
net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0
net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220
net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20
net/core/rtnetlink.c:6576 netlink_unicast_kernel
net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650
net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770
net/netlink/af_netlink.c:1910 … write to 0xffff88813a80c832 of 1 bytes by
task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
worker_thread+0x525/0x730 kernel/workqueue.c:2781 …
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-102.112 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1057.63 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1057.63~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1060.69 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-azure | < 6.5.0-1022.23 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < 5.15.0-1060.69~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1022.23~22.04.1 | UNKNOWN |
git.kernel.org/linus/2e7ef287f07c74985f1bf2858bedc62bd9ebf155 (6.8-rc1)
git.kernel.org/stable/c/2e7ef287f07c74985f1bf2858bedc62bd9ebf155
git.kernel.org/stable/c/380540bb06bb1d1b12bdc947d1b8f56cda6b5663
git.kernel.org/stable/c/3bb5849675ae1d592929798a2b37ea450879c855
git.kernel.org/stable/c/3cc283fd16fba72e2cefe3a6f48d7a36b0438900
git.kernel.org/stable/c/62b3387beef11738eb6ce667601a28fa089fa02c
launchpad.net/bugs/cve/CVE-2024-26631
nvd.nist.gov/vuln/detail/CVE-2024-26631
security-tracker.debian.org/tracker/CVE-2024-26631
ubuntu.com/security/notices/USN-6725-1
ubuntu.com/security/notices/USN-6725-2
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2024-26631