Bug 2250377 (CVE-2023-6200, ZDI-CAN-22579) - CVE-2023-6200 kernel: ICMPv6 Router Advertisement packets, aka Linux TCP/IP Remote Code Execution Vulnerability
Summary: CVE-2023-6200 kernel: ICMPv6 Router Advertisement packets, aka Linux TCP/IP R...
Keywords:
Status: NEW
Alias: CVE-2023-6200, ZDI-CAN-22579
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2250438 2260741
Blocks: 2250380
TreeView+ depends on / blocked
 
Reported: 2023-11-17 23:11 UTC by Nick Tait
Modified: 2024-03-06 07:31 UTC (History)
57 users (show)

Fixed In Version: kernel 6.7-rc7
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in the Linux Kernel. Under certain conditions, an unauthenticated attacker from an adjacent network could send an ICMPv6 router advertisement packet, causing arbitrary code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Nick Tait 2023-11-17 23:11:19 UTC
A flaw in the Linux Kernel found. When kernel receives a ICMPv6 router advertisement packet, the ndisc_router_discovery() is called. If the packet contains route information option with lifetime, fib6_set_expires() is used and link into the `gc_link`.
fib6_clean_expires() is used for unlink when it expired the `gc_link` within the `struct fib6_info` can be race in ndisc_router_discovery.
After that, the freed `struct fib6_info` is left in the `gc_link`.
It leads to UAF when other `struct fib6_info` attempt to link/unlink into the same `gc_link` or the `gc_link` is traversed.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dade3f6a1e4e

Comment 12 Guillaume Nault 2023-12-07 17:05:59 UTC
(In reply to Nick Tait from comment #0)
> thread (A) thread (B)
> ndisc_router_discovery ndisc_router_discovery
> rt6_route_rcv
> rt = rt6_add_route_info
> ip6_del_rt(rt)
> fib6_clean_expires(rt)
> fib6_info_release(rt)
> fib6_set_expires(rt)
> fib6_info_release(rt) // free

This part of the report seems to have been whitespace-damaged.
The information about which functions belong to thread (A) and which belong to thread (B) are lost.
Does the original report also has missing spaces at the beginning of these lines?

Comment 30 Alex 2024-01-28 12:12:34 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2260741]

Comment 31 Justin M. Forbes 2024-01-29 18:19:06 UTC
This was fixed for Fedora with the 6.6.9 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.