CVE-2024-26852

一、漏洞信息
漏洞编号：CVE-2024-26852
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0
CVSS V2.0分值：
BaseScore：0.0 Low
Vector：CVSS：2.0/
漏洞简述：
In the Linux kernel, the following vulnerability has been resolved:net/ipv6: avoid possible UAF in ip6_route_mpath_notify()syzbot found another use-after-free in ip6_route_mpath_notify() [1]Commit f7225172f25a ( net/ipv6: prevent use after free inip6_route_mpath_notify ) was not able to fix the root cause.We need to defer the fib6_info_release() calls afterip6_route_mpath_notify(), in the cleanup phase.[1]BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77RIP: 0033:0x7f73dd87dda9Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002eRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m---truncated---
漏洞公开时间：2024-04-17 19:15:08
漏洞创建时间：2024-04-17 20:45:29
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-26852

更多参考(点击展开)

参考来源	参考链接	来源链接
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26852	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2024-26852	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26852.mbox	https://bugzilla.suse.com/show_bug.cgi?id=1223057
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2275761	https://bugzilla.suse.com/show_bug.cgi?id=1223057
redhat_bugzilla	https://lore.kernel.org/linux-cve-announce/2024041723-CVE-2024-26852-0057@gregkh/T	https://bugzilla.redhat.com/show_bug.cgi?id=2275761
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-26852	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/linus/685f7d531264599b3f167f1e94bbd22f120e5fab (6.8)	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-26852	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-26852	https://ubuntu.com/security/CVE-2024-26852
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-26852	https://ubuntu.com/security/CVE-2024-26852
debian		https://security-tracker.debian.org/tracker/CVE-2024-26852

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
linux		https://git.kernel.org/linus/685f7d531264599b3f167f1e94bbd22f120e5fab	https://git.kernel.org/linus/3b1137fe74829e021f483756a648cbb87c8a1b4a	ubuntu

二、漏洞分析结构反馈
影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:net/ipv6: avoid possible UAF in ip6_route_mpath_notify()syzbot found another use-after-free in ip6_route_mpath_notify() [1]Commit f7225172f25a ( net/ipv6: prevent use after free inip6_route_mpath_notify ) was not able to fix the root cause.We need to defer the fib6_info_release() calls afterip6_route_mpath_notify(), in the cleanup phase.[1]BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x167/0x540 mm/kasan/report.c:488 kasan_report+0x142/0x180 mm/kasan/report.c:601 rt6_fill_node+0x1460/0x1ac0 inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184 ip6_route_mpath_notify net/ipv6/route.c:5198 [inline] ip6_route_multipath_add net/ipv6/route.c:5404 [inline] inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77RIP: 0033:0x7f73dd87dda9Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002eRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858 Allocated by task 23037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3981 [inline] __kmalloc+0x22e/0x490 mm/slub.c:3994 kmalloc include/linux/slab.h:594 [inline] kzalloc include/linux/slab.h:711 [inline] fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758 ip6_route_multipath_add net/ipv6/route.c:5298 [inline] inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640 poison_slab_object+0xa6/0xe0 m---truncated---
openEuler评分：
7.8
Vector：CVSS：2.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1(4.19.90):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):受影响
3.openEuler-22.03-LTS(5.10.0):受影响
4.openEuler-22.03-LTS-SP1(5.10.0):受影响
5.openEuler-22.03-LTS-SP2(5.10.0):受影响
6.openEuler-22.03-LTS-SP3(5.10.0):受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next(5.10.0):不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4(4.19.90):否
3.openEuler-22.03-LTS(5.10.0):否
4.openEuler-22.03-LTS-SP1(5.10.0):否
5.openEuler-22.03-LTS-SP2(5.10.0):否
6.openEuler-22.03-LTS-SP3(5.10.0):否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next(5.10.0):否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@YangYingliang ,@成坚 (CHENG Jian) ,@jiaoff ,@AlexGuo ,@hanjun-guo ,@woqidaideshi ,@Jackie Liu ,@Zhang Yi ,@colyli ,@ThunderTown ,@htforge ,@Chiqijun ,@冷嘲啊 ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@Kefeng ,@SuperSix173 ,@WangShaoBo ,@Zheng Zucheng
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-26852	None	None	https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18 https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136 https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24 https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
https://ubuntu.com/security/CVE-2024-26852	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2024-26852	None	None	https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18 https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136 https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24 https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-26852
https://security-tracker.debian.org/tracker/CVE-2024-26852

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

@ci-robot 请确认分支: master,openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-Next,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2,openEuler-22.03-LTS-SP3,openEuler-24.03-LTS,openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

@zhangchangzhong 请确认分支: master,openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-Next,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2,openEuler-22.03-LTS-SP3,openEuler-24.03-LTS,openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

@chenyi 请确认分支: master,openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-Next,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2,openEuler-22.03-LTS-SP3,openEuler-24.03-LTS,openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

@zhangjialin 请确认分支: master,openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-Next,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2,openEuler-22.03-LTS-SP3,openEuler-24.03-LTS,openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

CVE-2024-26852

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

syzbot found another use-after-free in ip6_route_mpath_notify() [1]

Commit f7225172f25a ("net/ipv6: prevent use after free in
ip6_route_mpath_notify") was not able to fix the root cause.

We need to defer the fib6_info_release() calls after
ip6_route_mpath_notify(), in the cleanup phase.

[1]
BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0
Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037

CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x167/0x540 mm/kasan/report.c:488
kasan_report+0x142/0x180 mm/kasan/report.c:601
rt6_fill_node+0x1460/0x1ac0
inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184
ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]
ip6_route_multipath_add net/ipv6/route.c:5404 [inline]
inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517
rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f73dd87dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858

Allocated by task 23037:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:372 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slub.c:3981 [inline]
__kmalloc+0x22e/0x490 mm/slub.c:3994
kmalloc include/linux/slab.h:594 [inline]
kzalloc include/linux/slab.h:711 [inline]
fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758
ip6_route_multipath_add net/ipv6/route.c:5298 [inline]
inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517
rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77

Freed by task 16:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640
poison_slab_object+0xa6/0xe0 m
---truncated---

openEuler评分:(评分和向量)
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:受影响
6.openEuler-22.03-LTS-SP3:受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next:不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

===========================================================

@成坚 (CHENG Jian) ,@Xie XiuQi ,@YangYingliang ,@pi3orama ,@jiaoff ,@郭梦琪
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I9HK9R:CVE-2024-26852
受影响分支: openEuler-22.03-LTS/openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP2
具体操作参考: https://gitee.com/help/articles/4142

@成坚 (CHENG Jian) ,@Xie XiuQi ,@YangYingliang ,@pi3orama ,@jiaoff ,@郭梦琪
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I9HK9R:CVE-2024-26852
受影响分支: openEuler-22.03-LTS-SP2/openEuler-22.03-LTS/openEuler-22.03-LTS-SP1
具体操作参考: https://gitee.com/help/articles/4142

src-openEuler / kernel

内容风险标识

评论 (11)

src-openEuler / kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-26852

评论 (11)

搜索帮助

src-openEuler / kernel