CVE-2024-35886

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix infinite recursion in fib6dumpdone().

syzkaller reported infinite recursive calls of fib6dumpdone() during netlink socket destruction. [1]

From the log, syzkaller sent an AFUNSPEC RTMGETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6dumpfib() failed at kzalloc() due to the fault injection. [0]

12:01:34 executing program 3: r0 = socket$nlroute(0x10, 0x3, 0x0) sendmsg$nlroute(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8)

Here, fib6dumpdone() was set to nlksk(sk)->cb.done, and the next call of inet6dumpfib() set it to nlksk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlinksockdestruct() called nlk_sk(sk)->cb.done().

fib6dumpdone() calls fib6dumpend() and nlksk(sk)->cb.done() if it is still not NULL. fib6dumpend() rewrites nlksk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page.

To avoid the issue, let's set the destructor after kzalloc().

name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl (lib/dumpstack.c:117) shouldfailex (lib/fault-inject.c:52 lib/fault-inject.c:153) shouldfailslab (mm/slub.c:3733) kmalloctrace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6dumpfib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6fib.c:662) rtnldumpall (net/core/rtnetlink.c:4029) netlinkdump (net/netlink/afnetlink.c:2269) netlinkrecvmsg (net/netlink/afnetlink.c:1988) _sysrecvmsg (net/socket.c:1046 net/socket.c:2801) sysrecvmsg (net/socket.c:2846) dorecvmmsg (net/socket.c:2943) _x64sysrecvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)

stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlinksockdestructwork RIP: 0010:fib6dumpdone (net/ipv6/ip6fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6dumpdone (net/ipv6/ip6fib.c:572 (discriminator 1)) fib6dumpdone (net/ipv6/ip6fib.c:572 (discriminator 1)) ... fib6dumpdone (net/ipv6/ip6fib.c:572 (discriminator 1)) fib6dumpdone (net/ipv6/ip6fib.c:572 (discriminator 1)) netlinksockdestruct (net/netlink/afnetlink.c:401) _skdestruct (net/core/sock.c:2177 (discriminator 2)) skdestruct (net/core/sock.c:2224) _skfree (net/core/sock.c:2235) skfree (net/core/sock.c:2246) processonework (kernel/workqueue.c:3259) workerthread (kernel/workqueue.c:3329 kernel/workqueue. ---truncated---