Bug 1221630 (CVE-2024-26631) - VUL-0: CVE-2024-26631: kernel: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
Summary: VUL-0: CVE-2024-26631: kernel: ipv6: mcast: fix data-race in ipv6_mc_down / m...
Status: IN_PROGRESS
Alias: CVE-2024-26631
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Denis Kirjanov
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398037/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26631:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-18 14:47 UTC by SMASH SMASH
Modified: 2024-07-03 09:16 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-18 14:47:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work

idev->mc_ifc_count can be written over without proper locking.

Originally found by syzbot [1], fix this issue by encapsulating calls
to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with
mutex_lock() and mutex_unlock() accordingly as these functions
should only be called with mc_lock per their declarations.

[1]
BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work

write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:
 mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]
 ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725
 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949
 addrconf_notify+0x310/0x980
 notifier_call_chain kernel/notifier.c:93 [inline]
 raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
 __dev_notify_flags+0x205/0x3d0
 dev_change_flags+0xab/0xd0 net/core/dev.c:8685
 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916
 rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3717 [inline]
 rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754
 rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558
 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576
 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
 netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368
 netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910
 ...

write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:
 mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653
 process_one_work kernel/workqueue.c:2627 [inline]
 process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
 worker_thread+0x525/0x730 kernel/workqueue.c:2781
 ...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26631
https://git.kernel.org/stable/c/62b3387beef11738eb6ce667601a28fa089fa02c
https://www.cve.org/CVERecord?id=CVE-2024-26631
https://git.kernel.org/stable/c/2e7ef287f07c74985f1bf2858bedc62bd9ebf155
https://git.kernel.org/stable/c/380540bb06bb1d1b12bdc947d1b8f56cda6b5663
https://git.kernel.org/stable/c/3bb5849675ae1d592929798a2b37ea450879c855
https://git.kernel.org/stable/c/3cc283fd16fba72e2cefe3a6f48d7a36b0438900