Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160127154041.GA9254@eldamar.local>
Date: Wed, 27 Jan 2016 16:40:41 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux: NULL pointer dereference
 netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function

Hi

>From https://bugzilla.redhat.com/show_bug.cgi?id=1300731 
> Kernel NULL pointer dereference vulnerability was found in
> netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function introduced by
> commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
> redirect IPv4 to use it from nf_tables").
> 
> Vulnerable code:
> 
> unsigned int
> nf_nat_redirect_ipv4(struct sk_buff *skb,
> ...
> {
> ...
> 		rcu_read_lock();
> 		indev = __in_dev_get_rcu(skb->dev);
> 		if (indev != NULL) {
> 			ifa = indev->ifa_list;
> 			newdst = ifa->ifa_local; <---
> 		}
> 		rcu_read_unlock();
> ...
> }
> 
> 'ifa' is not checked before access and can be accessed even if it's NULL.
> Crash might happen when packets that need to be redirected somehow arrive on an
>  interface which hasn't been yet fully configured.
> 
> Patch and crash report:
> 
> https://lkml.org/lkml/2015/12/2/618

This was introduced in:
https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1)

Fixed by:
https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1)

Can you assign a CVE to track this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.