In the Linux kernel, a vulnerability has been resolved concerning the handling of IPv6 routing and device removal. The Common Vulnerabilities and Exposures (CVE) ID assigned to this issue is CVE-2024-56751. This vulnerability was observed to cause a hangup at device removal time, resulting in errors and unexpected behavior.
Details
The issue was observed when the pmtu.sh self-test hit an aperiodic hangup during device removal. This resulted in the error message "unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6".
Original references
1. Kernel bug report: https://bugzilla.kernel.org/show_bug.cgi?id=213151
2. Kernel patch message: https://lore.kernel.org/netdev/a1bc71a2-345f-b34c-14e6-3b104018662a@gmail.com/
The following code snippet is part of the patch that addresses this issue
void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, int how)
{
struct rt6_info *rt = (struct rt6_info *) dst;
if (dev == dst->dev || dev == rt->rt6i_idev->dev) {
const struct in6_addr *gw_addr;
struct fib6_nh *nh = rt->from->nh;
gw_addr = nh ? &nh->fib_nh_gw6 : &rt->from->fib6_nh->fib_nh_gw6;
dst_link_failure(dst, (struct sockaddr *) gw_addr, how);
if (nh)
fib6_force_release(nh);
}
}
Exploit details
The problem was caused by the dst_cache holding a reference to the last device, which was still tracked by the originating fib6_info. The solution, implemented in the patch, is to explicitly release the originating fib info when disconnecting a device to be removed from a live IPv6 route. This is similar to the approach taken in commit f5b51fe804ec ("ipv6: route: purge exception on removal").
The vulnerability could cause unexpected behavior, possibly leading to DoS attacks or other exploits.
The patch has been tested and no issues were observed after more than 400 iterations of the test, whereas an unpatched kernel would experience the issue every 10 iterations.
Conclusion
CVE-2024-56751 is a vulnerability in the Linux kernel related to IPv6 routing and device removal. The patch addresses the issue by explicitly releasing the originating fib info when disconnecting a device to be removed from a live IPv6 route. Upgrading the kernel to a version that contains this patch is recommended to prevent unexpected behavior and potential security issues.
Timeline
Published on: 12/29/2024 12:15:08 UTC
Last modified on: 01/06/2025 17:00:37 UTC