{"uuid": "9d218992-be86-4396-b11f-645885861715", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-46782", "type": "seen", "source": "https://t.me/cvedetector/5943", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-46782 - Here is the title: \"IPv6 ILA Rhashtable Use-After-Free Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2024-46782 \nPublished : Sept. 18, 2024, 8:15 a.m. | 35\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nila: call nf_unregister_net_hooks() sooner  \n  \nsyzbot found an use-after-free Read in ila_nf_input [1]  \n  \nIssue here is that ila_xlat_exit_net() frees the rhashtable,  \nthen call nf_unregister_net_hooks().  \n  \nIt should be done in the reverse way, with a synchronize_rcu().  \n  \nThis is a good match for a pre_exit() method.  \n  \n[1]  \n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]  \n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]  \n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]  \n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672  \nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16  \n  \nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0  \nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024  \nCall Trace:  \n   \n  __dump_stack lib/dump_stack.c:93 [inline]  \n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119  \n  print_address_description mm/kasan/report.c:377 [inline]  \n  print_report+0x169/0x550 mm/kasan/report.c:488  \n  kasan_report+0x143/0x180 mm/kasan/report.c:601  \n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]  \n  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]  \n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]  \n  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672  \n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]  \n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]  \n  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190  \n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]  \n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626  \n  nf_hook include/linux/netfilter.h:269 [inline]  \n  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312  \n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]  \n  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775  \n  process_backlog+0x662/0x15b0 net/core/dev.c:6108  \n  __napi_poll+0xcb/0x490 net/core/dev.c:6772  \n  napi_poll net/core/dev.c:6841 [inline]  \n  net_rx_action+0x89b/0x1240 net/core/dev.c:6963  \n  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554  \n  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928  \n  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164  \n  kthread+0x2f0/0x390 kernel/kthread.c:389  \n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147  \n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  \n   \n  \nThe buggy address belongs to the physical page:  \npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620  \nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)  \npage_type: 0xbfffffff(buddy)  \nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000  \nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000  \npage dumped because: kasan: bad access detected  \npage_owner tracks the page as freed  \npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187  \n  set_page_owner include/linux/page_owner.h:32 [inline]  \n  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493  \n  prep_new_page mm/page_alloc.c:1501 [inline]  \n  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439  \n  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695  \n  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]  \n  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]  \n  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103  \n  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130  \n  __do_kmalloc_node m[...]", "creation_timestamp": "2024-09-18T10:52:47.000000Z"}