CVE-2024-35886

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35886
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix infinite recursion in fib6_dump_done(). syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 Patch
https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 Patch
https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 Patch
https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe Patch
https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 Patch
https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae Patch
https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 Patch
https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 Patch
https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 Patch
https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 Patch
https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 Patch
https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe Patch
https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 Patch
https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae Patch
https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 Patch
https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
History

23 Dec 2025, 19:28

Type Values Removed Values Added
First Time Linux
Debian
Debian debian Linux
Linux linux Kernel
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CWE CWE-674
CWE-787
References () https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 - () https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 - Patch
References () https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 - () https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 - Patch
References () https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 - () https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 - Patch
References () https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe - () https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe - Patch
References () https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 - () https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 - Patch
References () https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae - () https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae - Patch
References () https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 - () https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 - Patch
References () https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 - () https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 - Patch
References () https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html - () https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html - () https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html - Third Party Advisory

21 Nov 2024, 09:21

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -
  • () https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
References () https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 - () https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2 -
References () https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 - () https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778 -
References () https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 - () https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061 -
References () https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe - () https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe -
References () https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 - () https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985 -
References () https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae - () https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae -
References () https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 - () https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776 -
References () https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 - () https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 -

05 Nov 2024, 10:16

Type Values Removed Values Added
References
  • {'url': 'https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}

27 Jun 2024, 12:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -

25 Jun 2024, 22:15

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ipv6: Se corrigió la recursividad infinita en fib6_dump_done(). syzkaller informó infinitas llamadas recursivas de fib6_dump_done() durante la destrucción del socket netlink. [1] Desde el registro, syzkaller envió un mensaje AF_UNSPEC RTM_GETROUTE y luego se generó la respuesta. El siguiente recvmmsg() reanudó el volcado para IPv6, pero la primera llamada de inet6_dump_fib() falló en kzalloc() debido a la inyección de falla. [0] 12:01:34 ejecutando el programa 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... recorte ...) recvmmsg(r0, ... recorte ...) (fail_nth: 8) Aquí, fib6_dump_done() se configuró en nlk_sk(sk)-&gt;cb.done, y la siguiente llamada de inet6_dump_fib() se configuró en nlk_sk(sk)-&gt;cb.args[3]. syzkaller dejó de recibir la respuesta a la mitad y finalmente netlink_sock_destruct() llamó a nlk_sk(sk)-&gt;cb.done(). fib6_dump_done() llama a fib6_dump_end() y nlk_sk(sk)-&gt;cb.done() si todavía no es NULL. fib6_dump_end() reescribe nlk_sk(sk)-&gt;cb.done() por nlk_sk(sk)-&gt;cb.args[3], pero tiene la misma función, no NULL, llamándose a sí mismo de forma recursiva y accediendo a la página de protección de pila. Para evitar el problema, configuremos el destructor después de kzalloc(). [0]: FAULT_INJECTION: forzando un fallo. nombre failslab, intervalo 1, probabilidad 0, espacio 0, tiempos 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Nombre del hardware: PC estándar QEMU (i440FX + PIIX , 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 01/04/2014 Seguimiento de llamadas: dump_stack_lvl (lib/dump_stack.c:117) debería_fail_ex (lib/fault-inject.c :52 lib/fault-inject.c:153) must_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./ include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink. c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c :2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: ERROR: La página de protección de la pila de TAREA fue visitada en 00000000f2fa9af1 (la pila es 00000000b7912430..000000009a436be b) pila página de protección: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Nombre de hardware: PC estándar QEMU (i440FX + PIIX, 1996) , BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 01/04/2014 Cola de trabajo: eventos netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Código: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd &lt;53&gt; 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 00000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: 881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 0R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 000000000770ef0 PKRU : 55555554 Seguimiento de llamadas: &lt;#DF&gt; fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminador 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminador 1)). .. fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminador 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminador 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/ core/sock.c:2177 (discriminador 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) Process_one_work ( kernel/workqueue.c:3259)-truncado-
References
  • () https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -

19 May 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-19 09:15

Updated : 2025-12-23 19:28

NVD link : CVE-2024-35886

Mitre link : CVE-2024-35886

CVE.ORG link : CVE-2024-35886

JSON object : View

Products Affected

debian

  • debian_linux

linux

  • linux_kernel
CWE
CWE-674

Uncontrolled Recursion

CWE-787

Out-of-bounds Write