Amazon Linux AMI: CVE-2024-26852: Security patch for kernel (ALAS-2025-1957)

In the Linux kernel, the following vulnerability has been resolved:

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

syzbot found another use-after-free in ip6_route_mpath_notify() [1]

Commit f7225172f25a ("net/ipv6: prevent use after free in

ip6_route_mpath_notify") was not able to fix the root cause.

We need to defer the fib6_info_release() calls after

ip6_route_mpath_notify(), in the cleanup phase.

[1]

BUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0

Read of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037

CPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024

Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:88 [inline]

dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106

print_address_description mm/kasan/report.c:377 [inline]

print_report+0x167/0x540 mm/kasan/report.c:488

kasan_report+0x142/0x180 mm/kasan/report.c:601

rt6_fill_node+0x1460/0x1ac0

inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184

ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]

ip6_route_multipath_add net/ipv6/route.c:5404 [inline]

inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517

rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597

netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543

netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]

netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367

netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908

sock_sendmsg_nosec net/socket.c:730 [inline]

__sock_sendmsg+0x221/0x270 net/socket.c:745

____sys_sendmsg+0x525/0x7d0 net/socket.c:2584

___sys_sendmsg net/socket.c:2638 [inline]

__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667

do_syscall_64+0xf9/0x240

entry_SYSCALL_64_after_hwframe+0x6f/0x77

RIP: 0033:0x7f73dd87dda9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e

RAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9

RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005

RBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858

</TASK>

Allocated by task 23037:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x3f/0x80 mm/kasan/common.c:68

poison_kmalloc_redzone mm/kasan/common.c:372 [inline]

__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389

kasan_kmalloc include/linux/kasan.h:211 [inline]

__do_kmalloc_node mm/slub.c:3981 [inline]

__kmalloc+0x22e/0x490 mm/slub.c:3994

kmalloc include/linux/slab.h:594 [inline]

kzalloc include/linux/slab.h:711 [inline]

fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155

ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758

ip6_route_multipath_add net/ipv6/route.c:5298 [inline]

inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517

rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597

netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543

netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]

netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367

netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908

sock_sendmsg_nosec net/socket.c:730 [inline]

__sock_sendmsg+0x221/0x270 net/socket.c:745

____sys_sendmsg+0x525/0x7d0 net/socket.c:2584

___sys_sendmsg net/socket.c:2638 [inline]

__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667

do_syscall_64+0xf9/0x240

entry_SYSCALL_64_after_hwframe+0x6f/0x77

Freed by task 16:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x3f/0x80 mm/kasan/common.c:68

kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640

poison_slab_object+0xa6/0xe0 m

---truncated---