Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 Dec 2016 12:19:17 -0500
From: <cve-assign@...re.org>
To: <bluewind@...u.at>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request: Linux panic on fragemented IPv6 traffic (icmp6_send)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The linux kernel contains a bug where a fragmented IPv6 packet causes a
> panic after a timeout (seems to be roughly 60 seconds). This can be
> triggered remotely via the internet and results in a DoS (kernel panic).

> https://bugzilla.kernel.org/show_bug.cgi?id=189851

>> unable to handle kernel NULL pointer dereference

>> Seems I can reliably crash said machines running 4.8.12-2 by sending
>> them incomplete fragmented IPv6 packets. The kernel indeed has
>> NET_L3_MASTER_DEV.

> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2

>> the dst->dev should be preferred for determining the L3 domain
>> if the dst has been set on the skb. Fallback to the skb->dev if it has
>> not. This covers the case reported here where icmp6_send is invoked on
>> Rx before the route lookup.

Use CVE-2016-9919.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYSZWMAAoJEHb/MwWLVhi2UAAQAKUTqLnsjpwqlBAxNh9rEexe
ljitZUtj0WSTrYAY+EdPm6n5mDocVCw5IlB2wd8Fa/8z2kPigG/9oDafnWXJFKK1
hlqNZAep/GBGX9ISVxbLPFJ5jel8BWsZ3kwiAdj5t4GcuTDbwOkujvknHyhxBS6T
kKBE/TVtafKcLUd+D6qzWyt0BaOz+ATKKrekrkRKkm7yEBaGIUHIekWZnK0tJ+sS
08sFKUxzfDCud//OepxNgxRDlecqlcK0PKNp9NNRgD/+D99JgLaxItMVVMkQrh5s
854jFifEhObQKeJLAUotfvSJjIoASXHrndyhwCw2C636vqsASE9KVItzmXV4MzSW
4+8Yqi/jLExwSe1z3Z4R6+zpQopok/ZmGJ9BPBODrU8bsCm/eFvA2eXRvXD/v2Oh
/lFbDJf34P8FM8wvzFTc0tDJB5Lf2xZ2pjEUfEdM0hlryfKWIoaGDzcpKPGfewiN
M3yHp3CcuKCX6pVxrmonA1goJTpddBqALUavwWtRRnF6ozUhKpWG6G2zhkVn9ZaT
vwSSlsYw6BTYpMz1ZPF6rqeCowtdQDI/J6gM8OuQAq/aV/i0jmFv5ToB158dy5yc
rq2wKEdUv6y0ZM7lWX5aleGlEfyMyIB/ZtTWy5wAvyfpwlv6X3/OSc/9eXxFB27M
R2CpnZwv2wLfC6/R9czc
=DVJY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.