In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ipv6: corrección de desreferencia de puntero NULL en ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() puede devolver NULL cuando el dispositivo esclavo está siendo desasociado de un VRF. Todos los demás llamadores manejan esto, pero perdimos la alternativa a loopback en ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() con el commit 4832c30d5458 ('net: ipv6: put host and anycast routes on device with address'). KASAN: desreferencia de puntero nulo en el rango [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Traza de Llamadas: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) Me sentí tentado a reelaborar el código de desasociación para borrar la bandera primero e insertar synchronize_rcu() antes de que eliminemos el superior. Pero parece que la alternativa explícita a loopback_dev es un patrón establecido. Y supongo que evitar el synchronize_rcu() también es bueno.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-476
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bc462d3c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bc462e540> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdda03580> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdda00980> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bc462cdc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bc462ec40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdda002c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bc462d500> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bc462e240> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |