Bug 2083992 (CVE-2022-1671)

Summary: CVE-2022-1671 kernel: null-ptr-deref bugs in net/rxrpc/server_key.c in rxrpc_preparse_s
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, bskeggs, chwhite, ddepaula, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpazdziora, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, swood, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.18 rc1 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-29 10:02:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2084037, 2084038    
Bug Blocks: 2083989, 2084035    

Description Rohit Keshri 2022-05-11 07:42:33 UTC 
There are some null-ptr-deref bugs in server_key.c in net/rxrpc/server_key.c in the latest kernel, unprivileged users can easily trigger it via ioctl.

#Root Cause
Some function calls are not implemented in rxrpc_no_security, there are preparse_server_key, free_preparse_server_key and destroy_server_key.

When rxrpc security type is rxrpc_no_security, unprivileged users can easily trigger a null-ptr-deref bug via ioctl. So judgment should be added to prevent it
Comment 9 Jan Pazdziora 2023-07-28 17:00:14 UTC 
Hello, the CVE page https://access.redhat.com/security/cve/CVE-2022-1671 Statement paragraph says

The affected code was not introduced into any kernel versions shipped with Red Hat Enterprise Linux making this vulnerable and not applicable to these platforms.

Should that be "making this vulnerability not applicable" or something similar?