{"uuid": "85bfe0ab-7b32-4752-a326-2f2c3e3ebe2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-56703", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/13828", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-56703 - Linux Kernel IPv6 Fib6 Select Path Soft Lockup\", \n  \"Content\": \"CVE ID : CVE-2024-56703 \nPublished : Dec. 28, 2024, 10:15 a.m. | 44\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nipv6: Fix soft lockups in fib6_select_path under high next hop churn  \n  \nSoft lockups have been observed on a cluster of Linux-based edge routers  \nlocated in a highly dynamic environment. Using the `bird` service, these  \nrouters continuously update BGP-advertised routes due to frequently  \nchanging nexthop destinations, while also managing significant IPv6  \ntraffic. The lockups occur during the traversal of the multipath  \ncircular linked-list in the `fib6_select_path` function, particularly  \nwhile iterating through the siblings in the list. The issue typically  \narises when the nodes of the linked list are unexpectedly deleted  \nconcurrently on a different core\u2014indicated by their 'next' and  \n'previous' elements pointing back to the node itself and their reference  \ncount dropping to zero. This results in an infinite loop, leading to a  \nsoft lockup that triggers a system panic via the watchdog timer.  \n  \nApply RCU primitives in the problematic code sections to resolve the  \nissue. Where necessary, update the references to fib6_siblings to  \nannotate or use the RCU APIs.  \n  \nInclude a test script that reproduces the issue. The script  \nperiodically updates the routing table while generating a heavy load  \nof outgoing IPv6 traffic through multiple iperf3 clients. It  \nconsistently induces infinite soft lockups within a couple of minutes.  \n  \nKernel log:  \n  \n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb  \n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3  \n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4  \n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03  \n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f  \n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756  \n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af  \n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d  \n--  --  \n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb  \n    [exception RIP: fib6_select_path+299]  \n    RIP: ffffffff8ddafe7b  RSP: ffffbd13003d37b8  RFLAGS: 00000287  \n    RAX: ffff975850b43600  RBX: ffff975850b40200  RCX: 0000000000000000  \n    RDX: 000000003fffffff  RSI: 0000000051d383e4  RDI: ffff975850b43618  \n    RBP: ffffbd13003d3800   R8: 0000000000000000   R9: ffff975850b40200  \n    R10: 0000000000000000  R11: 0000000000000000  R12: ffffbd13003d3830  \n    R13: ffff975850b436a8  R14: ffff975850b43600  R15: 0000000000000007  \n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018  \n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c  \n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c  \n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5  \n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47  \n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0  \n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274  \n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474  \n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615  \n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec  \n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3  \n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9  \n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]  \n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]  \n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]  \n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000  \n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581  \n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9  \n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47  \n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30  \n28 [ffffbd13003d3ee8] kthread at fffff[...]", "creation_timestamp": "2024-12-28T12:05:50.000000Z"}