Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jan 2016 16:40:41 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux: NULL pointer dereference
 netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function

Hi

>From https://bugzilla.redhat.com/show_bug.cgi?id=1300731 
> Kernel NULL pointer dereference vulnerability was found in
> netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function introduced by
> commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
> redirect IPv4 to use it from nf_tables").
> 
> Vulnerable code:
> 
> unsigned int
> nf_nat_redirect_ipv4(struct sk_buff *skb,
> ...
> {
> ...
> 		rcu_read_lock();
> 		indev = __in_dev_get_rcu(skb->dev);
> 		if (indev != NULL) {
> 			ifa = indev->ifa_list;
> 			newdst = ifa->ifa_local; <---
> 		}
> 		rcu_read_unlock();
> ...
> }
> 
> 'ifa' is not checked before access and can be accessed even if it's NULL.
> Crash might happen when packets that need to be redirected somehow arrive on an
>  interface which hasn't been yet fully configured.
> 
> Patch and crash report:
> 
> https://lkml.org/lkml/2015/12/2/618

This was introduced in:
https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1)

Fixed by:
https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1)

Can you assign a CVE to track this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ