In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: icmp: soluciona la desreferencia de puntero NULL en icmp_tag_validation() icmp_tag_validation() desreferencia incondicionalmente el resultado de rcu_dereference(inet_protos[proto]) sin comprobar si es NULL. El array inet_protos[] es disperso -- solo unos 15 de 256 números de protocolo tienen gestores registrados. Cuando ip_no_pmtu_disc se establece en 3 (modo PMTU endurecido) y el kernel recibe un error ICMP Fragmentation Needed con una cabecera IP interna citada que contiene un número de protocolo no registrado, la desreferencia NULL causa un pánico del kernel en contexto de softirq. Oops: fallo de protección general, probablemente para dirección no canónica 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: desreferencia de puntero nulo en el rango [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Traza de Llamada: icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) Añadir una comprobación de NULL antes de acceder a icmp_strict_tag_validation. Si el protocolo no tiene un gestor registrado, devolver falso ya que no puede realizar una validación estricta de etiquetas.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-476
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67d3c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67efc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc337580> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd26ebc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67eb00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67ec80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67da40> | Operating System |
| linux | linux_kernel | 3.14 | <built-in method update of dict object at 0x702bdd67d9c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b8052c100> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67fc80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67c5c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67db00> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdcc5b940> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67f780> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd67d780> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |