Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2024-40981

Description

In the Linux kernel, the following vulnerability has been resolved:batman-adv: bypass empty buckets in batadv_purge_orig_ref()Many syzbot reports are pointing to soft lockups inbatadv_purge_orig_ref() [1]Root cause is unknown, but we can avoid spending too muchtime there and perhaps get more interesting reports.[1]watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]Modules linked in:irq event stamp: 6182794 hardirqs last enabled at (6182793): [] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024Workqueue: bat_events batadv_purge_origpstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386sp : ffff800099007970x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860Sending NMI from CPU 0 to CPUs 1:NMI backtrace for cpu 1CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103sp : ffff800093a17d30x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001---truncated---

CVE-2024-40981

Description

POC

Reference

Github