Bug 2250377 (CVE-2023-6200, ZDI-CAN-22579)

Summary: CVE-2023-6200 kernel: ICMPv6 Router Advertisement packets, aka Linux TCP/IP Remote Code Execution Vulnerability
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, ajmitchell, allarkin, anprice, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, gnault, hkrzesin, jamills, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, michal.skrivanek, mleitner, mmilgram, mperina, mstowell, nmurray, ptalbert, rogbas, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.7-rc7 Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250438, 2260741    
Bug Blocks: 2250380    

Description Nick Tait 2023-11-17 23:11:19 UTC 
A flaw in the Linux Kernel found. When kernel receives a ICMPv6 router advertisement packet, the ndisc_router_discovery() is called. If the packet contains route information option with lifetime, fib6_set_expires() is used and link into the `gc_link`.
fib6_clean_expires() is used for unlink when it expired the `gc_link` within the `struct fib6_info` can be race in ndisc_router_discovery.
After that, the freed `struct fib6_info` is left in the `gc_link`.
It leads to UAF when other `struct fib6_info` attempt to link/unlink into the same `gc_link` or the `gc_link` is traversed.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e
Comment 12 Guillaume Nault 2023-12-07 17:05:59 UTC 
(In reply to Nick Tait from comment #0)
> thread (A) thread (B)
> ndisc_router_discovery ndisc_router_discovery
> rt6_route_rcv
> rt = rt6_add_route_info
> ip6_del_rt(rt)
> fib6_clean_expires(rt)
> fib6_info_release(rt)
> fib6_set_expires(rt)
> fib6_info_release(rt) // free

This part of the report seems to have been whitespace-damaged.
The information about which functions belong to thread (A) and which belong to thread (B) are lost.
Does the original report also has missing spaces at the beginning of these lines?
Comment 30 Alex 2024-01-28 12:12:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2260741]
Comment 31 Justin M. Forbes 2024-01-29 18:19:06 UTC 
This was fixed for Fedora with the 6.6.9 stable kernel updates.