A flaw in the Linux Kernel found. When kernel receives a ICMPv6 router advertisement packet, the ndisc_router_discovery() is called. If the packet contains route information option with lifetime, fib6_set_expires() is used and link into the `gc_link`. fib6_clean_expires() is used for unlink when it expired the `gc_link` within the `struct fib6_info` can be race in ndisc_router_discovery. After that, the freed `struct fib6_info` is left in the `gc_link`. It leads to UAF when other `struct fib6_info` attempt to link/unlink into the same `gc_link` or the `gc_link` is traversed. Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e
(In reply to Nick Tait from comment #0) > thread (A) thread (B) > ndisc_router_discovery ndisc_router_discovery > rt6_route_rcv > rt = rt6_add_route_info > ip6_del_rt(rt) > fib6_clean_expires(rt) > fib6_info_release(rt) > fib6_set_expires(rt) > fib6_info_release(rt) // free This part of the report seems to have been whitespace-damaged. The information about which functions belong to thread (A) and which belong to thread (B) are lost. Does the original report also has missing spaces at the beginning of these lines?
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2260741]
This was fixed for Fedora with the 6.6.9 stable kernel updates.