Bug 1290475 (CVE-2015-8543)

Summary: CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, arm-mgr, bhu, carnil, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, matt, mchehab, mcressma, mrg-program-list, nmurray, plougher, rvrbovsk, slawomir, slong, vdronov, williams, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:46:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290477, 1291618, 1291627, 1293673, 1334846, 1334847    
Bug Blocks: 1290479    

Description Adam Mariš 2015-12-10 15:56:57 UTC 
It was found that in net/ipv4/af_inet.c, PC will contain 0x0 if sk->sk_prot->get_port is NULL, leading to kernel null pointer dereference.

Vulnerable code:

static int inet_autobind(struct sock *sk)
{
         struct inet_sock *inet;
         /* We may need to bind the socket. */
         lock_sock(sk);
         inet = inet_sk(sk);
         if (!inet->inet_num) {
                   if (sk->sk_prot->get_port(sk, 0)) {
                            release_sock(sk);
                            return -EAGAIN;
                   }
                   inet->inet_sport = htons(inet->inet_num);
         }
         release_sock(sk);
         return 0;
}

CVE request (contains reproducer):

http://seclists.org/oss-sec/2015/q4/458
Comment 1 Adam Mariš 2015-12-10 15:59:01 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1290477]
Comment 2 Adam Mariš 2015-12-14 10:41:42 UTC 
This issue got CVE-2015-8543 for Android kernel. Linux kernel might get as well if bugs appear when sk->sk_prot->get_port is NULL.

http://seclists.org/oss-sec/2015/q4/473
Comment 3 Josh Boyer 2015-12-15 15:42:54 UTC 
Upstream bugfix:

https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
Comment 4 Vladis Dronov 2015-12-18 12:27:47 UTC 
Description:

A flaw was found in the kernel network stack in the inet_autobind() function in the net/ipv4/af_inet.c file. AF_INET and AF_INET6 sockets only support 8-bit protocol identifiers, thus if larger protocol identifier is provided, the higher bits are cut off. A connect() call on the incorrectly created SOCK_RAW socket could lead to the NULL function call. SOCK_RAW socket can be created by an unprivileged user if the kernel supports CLONE_NEWUSER or by an unprivileged user with CAP_NET_RAW capability. If the system settings allow allocation of the memory page with address zero this can lead to an arbitrary code execution and priviliges escalation, otherwise to the kernel crash and DoS.

References:

http://seclists.org/oss-sec/2015/q4/456
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
Comment 6 Vladis Dronov 2015-12-18 12:33:38 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address the issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 9 Fedora Update System 2015-12-22 07:20:57 UTC 
kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-12-22 22:02:07 UTC 
kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2016-05-10 23:29:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html
Comment 15 errata-xmlrpc 2016-11-03 14:41:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 16 errata-xmlrpc 2016-11-03 19:38:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 17 errata-xmlrpc 2016-11-03 21:30:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 18 errata-xmlrpc 2016-11-03 21:46:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html