CVE-2024-35886

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fixed version

Description The issue is related to an infinite recursion in the fib6 dump done() function during netlink socket destruction. This occurs when syzkaller sends an AF UNSPEC RTM GETROUTE message and the response is generated, but the first call of inet6 dump fib() fails at kzalloc() due to fault injection. The fib6 dump done() function calls fib6 dump end() and nlk sk(sk)->cb.done() if it is still not NULL, and fib6 dump end() rewrites nlk sk(sk)->cb.done() by nlk sk(sk)->cb.args[3], leading to recursive calls and a stack guard page hit.

Recommendations To resolve the issue, set the destructor after kzalloc(). As a temporary workaround, consider disabling the fib6 dump done() function until a patch is available. Restrict access to the vulnerable netlink sock destruct() function to minimize the risk of exploitation. Avoid using the recvmmsg() function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.