In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: bridge: corrige la desreferencia NULL de nd_tbl cuando IPv6 está deshabilitado Al arrancar con el parámetro 'ipv6.disable=1', el nd_tbl nunca se inicializa porque inet6_init() sale antes de que se llame a ndisc_init(), que es quien lo inicializa. Luego, si neigh_suppress está habilitado y un paquete ICMPv6 Neighbor Discovery llega al puente, br_do_suppress_nd() desreferenciará ipv6_stub->nd_tbl, que es NULL, pasándolo a neigh_lookup(). Esto causa una desreferencia de puntero NULL del kernel. BUG: desreferencia de puntero NULL del kernel, dirección: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Rastro de Llamada: ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Soluciona esto reemplazando la llamada a IS_ENABLED(IPV6) con ipv6_mod_enabled() en los llamadores. Esto es, en esencia, deshabilitar la supresión de NS/NA cuando IPv6 está deshabilitado.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-476
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde497d80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc454d00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd673400> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b80611040> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde4961c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b80613000> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b80613a80> | Operating System |
| linux | linux_kernel | 4.15 | <built-in method update of dict object at 0x702bdc456040> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bddbb2900> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b80613f40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bde496ec0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bde496680> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b80612dc0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bddbb3a00> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc455dc0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:4.15:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |