CVE-2024-40957

Published: Jul 12, 2024

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors input_action_end_dx4() and input_action_end_dx6() are called NF_HOOK() for PREROUTING hook, in PREROUTING hook, we should passing a valid indev, and a NULL outdev to NF_HOOK(), otherwise may trigger a NULL pointer dereference, as below: [74830.647293] BUG: kernel NULL pointer dereference, address: 0000000000000090 [74830.655633] #PF: supervisor read access in kernel mode [74830.657888] #PF: error_code(0x0000) - not-present page [74830.659500] PGD 0 P4D 0 [74830.660450] Oops: 0000 [#1] PREEMPT SMP PTI ... [74830.664953] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [74830.666569] RIP: 0010:rpfilter_mt+0x44/0x15e [ipt_rpfilter] ... [74830.689725] Call Trace: [74830.690402] <IRQ> [74830.690953] ? show_trace_log_lvl+0x1c4/0x2df [74830.692020] ? show_trace_log_lvl+0x1c4/0x2df [74830.693095] ? ipt_do_table+0x286/0x710 [ip_tables] [74830.694275] ? __die_body.cold+0x8/0xd [74830.695205] ? page_fault_oops+0xac/0x140 [74830.696244] ? exc_page_fault+0x62/0x150 [74830.697225] ? asm_exc_page_fault+0x22/0x30 [74830.698344] ? rpfilter_mt+0x44/0x15e [ipt_rpfilter] [74830.699540] ipt_do_table+0x286/0x710 [ip_tables] [74830.700758] ? ip6_route_input+0x19d/0x240 [74830.701752] nf_hook_slow+0x3f/0xb0 [74830.702678] input_action_end_dx4+0x19b/0x1e0 [74830.703735] ? input_action_end_t+0xe0/0xe0 [74830.704734] seg6_local_input_core+0x2d/0x60 [74830.705782] lwtunnel_input+0x5b/0xb0 [74830.706690] __netif_receive_skb_one_core+0x63/0xa0 [74830.707825] process_backlog+0x99/0x140 [74830.709538] __napi_poll+0x2c/0x160 [74830.710673] net_rx_action+0x296/0x350 [74830.711860] __do_softirq+0xcb/0x2ac [74830.713049] do_softirq+0x63/0x90 input_action_end_dx4() passing a NULL indev to NF_HOOK(), and finally trigger a NULL dereference in rpfilter_mt()->rpfilter_is_loopback(): static bool rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in) { // in is NULL return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK; }

Vendor	Product	Versions
Linux	Linux	affected `7a3f5b0de3647c854e34269c3332d7a1e902901a - < af90e3d73dc45778767b2fb6e7edd57ebe34380d` affected `7a3f5b0de3647c854e34269c3332d7a1e902901a - < ec4d970b597ee5e17b0d8d73b7875197ce9a04d4` affected `7a3f5b0de3647c854e34269c3332d7a1e902901a - < d62df86c172033679d744f07d89e93e367dd11f6` affected `7a3f5b0de3647c854e34269c3332d7a1e902901a - < 561475d53aa7e4511ee7cdba8728ded81cf1db1c` affected `7a3f5b0de3647c854e34269c3332d7a1e902901a - < 9a3bc8d16e0aacd65c31aaf23a2bced3288a7779`
Linux	Linux	affected `5.15` unaffected `0 - < 5.15` unaffected `5.15.162 - <= 5.15.` unaffected `6.1.96 - <= 6.1.` unaffected `6.6.36 - <= 6.6.*` +2 more versions

References

https://git.kernel.org/stable/c/af90e3d73dc45778767b2fb6e7edd57ebe34380d

https://git.kernel.org/stable/c/ec4d970b597ee5e17b0d8d73b7875197ce9a04d4

https://git.kernel.org/stable/c/d62df86c172033679d744f07d89e93e367dd11f6

https://git.kernel.org/stable/c/561475d53aa7e4511ee7cdba8728ded81cf1db1c

https://git.kernel.org/stable/c/9a3bc8d16e0aacd65c31aaf23a2bced3288a7779

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-40957

Description

Affected Products

References