On 12/22/2025 17:05, mike tancsa wrote:
On 12/22/2025 4:51 PM, Polarian wrote:Hey,I am trying to understand if rtsold is not running and not enabled, what from the kernel would spin that up to expose the code path that is patched in the advisory?I don't get where you are getting a kernel vulnerability from. The advisory already explains that the RCE comes from a lack of input validation on the domain search field. This is a userspace vulnerability. This passed to resolvconf which does not validate its input, which therefore allows for an RCE. So why we talking about code paths within the kernel? Its not within the networking stack, it is a vulnerability within the userspace utilities.When I asked if patching the userland code was enough, you said no.From what I understand having ACCEPT_RTADV on an interface means the kernel is processing rtadv packets. The advisory mentions that, but it seems thats not sufficient to trigger the bug, as rtsold is the one that processes the unchecked DNS info. i.e. you need both ACCEPT_RTADV enabled and rtsold enabled, no ? If just having ACCEPT_RTADV enabled would lead to an exploit, that implies a kernel bug no ?I just want to confirm if *not* running rtsold is enough to avoid this bug or just having the mere presence of IPv6 can lead to exploit. If the latter, how is that actually working.---Mike
Unless I am missing something serious you are correct.Without rtsold if you have an interface that goes down and comes back up you likely will not get routes (including default) until the gateway performs its next timed transmission (typically 10 minutes.)
With it enabled but no options specified it comes up on my machines as "-a -i" which is "seek the interfaces to solicit upon and do so immediately on start."
The problem is that the resolvconf(8) script is run by default (unless you specify something else with the -R switch) if rtsold is running and a DNS configuration option (RDNSS or DNSSL) advertisement is received. If rtsold is not running then it should not result in a problem per-se however you get the possibility of not having routes when the box comes up until the gateway performs its next timed transmission.
-- Karl Denninger [email protected] /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
