Bug 1300731 (CVE-2015-8787)
| Summary: | CVE-2015-8787 kernel: Missing NULL pointer check in nf_nat_redirect_ipv4 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agordeev, aquini, arm-mgr, bhu, carnil, dhoward, esammons, fhrbata, gansalmon, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, slawomir, slong, vdronov, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A NULL-pointer dereference vulnerability was found in the Linux kernel's TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-01-28 16:07:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1300732 | ||
| Bug Blocks: | 1300733 | ||
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1300732] (In reply to Adam Mariš from comment #0) > Patch and crash report: > > https://lkml.org/lkml/2015/12/2/618 This is commit 94f9cd81436c85d8c3a318ba92e236ede73752fc in Linus' tree. It was included with the 4.4-rc1 release. an upstream commit introduced the flaw: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b13eddfdf04cbfa561725cfc42d6868fe896f56 an upstream commit with the fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94f9cd81436c85d8c3a318ba92e236ede73752fc Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG-2 as the code with the flaw is not present in the products listed. kernel-4.3.4-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.3.4-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Kernel NULL pointer dereference vulnerability was found in netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function introduced by commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables"). Vulnerable code: unsigned int nf_nat_redirect_ipv4(struct sk_buff *skb, ... { ... rcu_read_lock(); indev = __in_dev_get_rcu(skb->dev); if (indev != NULL) { ifa = indev->ifa_list; newdst = ifa->ifa_local; <--- } rcu_read_unlock(); ... } 'ifa' is not checked before access and can be accessed even if it's NULL. Crash might happen when packets that need to be redirected somehow arrive on an interface which hasn't been yet fully configured. Patch and crash report: https://lkml.org/lkml/2015/12/2/618 Oss-security reference: http://seclists.org/oss-sec/2016/q1/223 CVE assignment: http://seclists.org/oss-sec/2016/q1/226