CVE-2024-56703

{"id": "CVE-2024-56703", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-28T10:15:18.433", "references": [{"url": "https://git.kernel.org/stable/c/11edcd026012ac18acee0f1514db3ed1b160fc6f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/34a949e7a0869dfa31a40416d2a56973fae1807b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/52da02521ede55fb86546c3fffd9377b3261b91f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d9ccb18f83ea2bb654289b6ecf014fd267cc988b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-835"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix soft lockups in fib6_select_path under high next hop churn\n\nSoft lockups have been observed on a cluster of Linux-based edge routers\nlocated in a highly dynamic environment. Using the `bird` service, these\nrouters continuously update BGP-advertised routes due to frequently\nchanging nexthop destinations, while also managing significant IPv6\ntraffic. The lockups occur during the traversal of the multipath\ncircular linked-list in the `fib6_select_path` function, particularly\nwhile iterating through the siblings in the list. The issue typically\narises when the nodes of the linked list are unexpectedly deleted\nconcurrently on a different core\u2014indicated by their 'next' and\n'previous' elements pointing back to the node itself and their reference\ncount dropping to zero. This results in an infinite loop, leading to a\nsoft lockup that triggers a system panic via the watchdog timer.\n\nApply RCU primitives in the problematic code sections to resolve the\nissue. Where necessary, update the references to fib6_siblings to\nannotate or use the RCU APIs.\n\nInclude a test script that reproduces the issue. The script\nperiodically updates the routing table while generating a heavy load\nof outgoing IPv6 traffic through multiple iperf3 clients. It\nconsistently induces infinite soft lockups within a couple of minutes.\n\nKernel log:\n\n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb\n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3\n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4\n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03\n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f\n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756\n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af\n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d\n-- <IRQ stack> --\n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb\n [exception RIP: fib6_select_path+299]\n RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287\n RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000\n RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618\n RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830\n R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c\n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c\n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5\n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47\n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0\n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274\n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474\n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615\n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec\n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3\n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9\n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]\n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]\n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]\n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000\n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581\n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9\n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47\n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30\n28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f\n29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64\n30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ipv6: Se han observado bloqueos suaves en fib6_select_path bajo una alta rotaci\u00f3n del siguiente salto. Se han observado bloqueos suaves en un cl\u00faster del routeres de borde basados en Linux ubicados en un entorno altamente din\u00e1mico. Al usar el servicio `bird`, estos routeres actualizan continuamente las rutas anunciadas por BGP debido a que cambian con frecuencia los destinos del siguiente salto, al mismo tiempo que administran un tr\u00e1fico IPv6 significativo. Los bloqueos ocurren durante el recorrido de la lista enlazada circular de m\u00faltiples rutas en la funci\u00f3n `fib6_select_path`, particularmente mientras se itera a trav\u00e9s de los hermanos en la lista. El problema generalmente surge cuando los nodos de la lista enlazada se eliminan inesperadamente de manera concurrente en un n\u00facleo diferente, lo que se indica mediante sus elementos 'next' y 'previous' que apuntan al nodo mismo y su recuento de referencia cae a cero. Esto da como resultado un bucle infinito, lo que lleva a un bloqueo suave que desencadena un p\u00e1nico del sistema a trav\u00e9s del temporizador de vigilancia. Aplique primitivas RCU en las secciones de c\u00f3digo problem\u00e1ticas para resolver el problema. Cuando sea necesario, actualice las referencias a fib6_siblings para anotar o usar las API de RCU. Incluya un script de prueba que reproduzca el problema. El script actualiza peri\u00f3dicamente la tabla de enrutamiento mientras genera una gran carga de tr\u00e1fico IPv6 saliente a trav\u00e9s de varios clientes iperf3. Induce constantemente bloqueos suaves infinitos en un par de minutos. Registro del n\u00facleo: 0 [ffffbd13003e8d30] machine_kexec en ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec en ffffffff8d0120e3 2 [ffffbd13003e8e58] p\u00e1nico en ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn en ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues en ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt en ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt en ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt en ffffffff8df1b83d -- -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt en ffffffff8e000ecb [excepci\u00f3n RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 000000000000000 R9: ffff975850b40200 R10: 000000000000000 R11: 000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 00000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ruta_pol_ip6 en ffffffff8ddb030c 10 [ffffbd13003d3888] entrada_ruta_pol_ip6 en ffffffff8ddb068c 11 [ffffbd13003d3898] b\u00fasqueda_regla_fib6 en ffffffff8ddf02b5 12 [ffffbd13003d3928] entrada_ruta_ip6 en ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 en ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 en ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv en ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv en ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core en ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal en ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive en ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb en ffffffffc087e4f5 [hielo] 21 [ffffbd13003d3c90] ice_clean_rx_irq en ffffffffc0881b80 [hielo] 22 [ffffbd13003d3d20] ice_napi_poll en ffffffffc088232f [hielo] 23 [ffffbd13003d3d80] __napi_poll en ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action en ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq en ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd en ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn en ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread en ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork en ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm en ffffffff8ce03cbb"}], "lastModified": "2025-10-01T20:17:42.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5EC1CA8D-18C2-4DD2-84A4-33C7DD6A4C17", "versionEndExcluding": "6.1.128", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8D39B53-7390-48BE-92FD-8846BE8E8430", "versionEndExcluding": "6.6.75", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21434379-192D-472F-9B54-D45E3650E893", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}