Bug 2162120 (CVE-2023-0394)
| Summary: | CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kyoshida, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, sgrubb, tyberry, vkumar, walters, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Kernel 6.2 RC4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 22:49:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2162122, 2162123, 2162124, 2162125 | ||
| Bug Blocks: | 2162118 | ||
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0394 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412 |
A null pointer dereference in Linux kernel that affects multiple kernel versions. The bug is in "rawv6_push_pending_frames" function in net/ipv6/raw.c. According to Herbert Xu, who fixed the bug, the root cause is that "total_len = inet_sk(sk)->cork.base.length" in this function also counts the length of the extension header (+ the amount of valid data in the socket cork queue). In the vulnerable version of the function, it directly uses the length as the amount of data in the cork queue. In the following code: struct sk_buff *csum_skb = NULL; ... skb_queue_walk(&sk->sk_write_queue, skb) { ... if (offset >= len) { offset -= len; continue; } csum_skb = skb; } skb = csum_skb; If the `offset` is larger than the amount of data in the socket cork queue but smaller than valid data length + extension header length, then the loop shown above will always enter the "if (offset >= len)" branch. As a result, csum_skb will never be set. Consequently, the final skb variable will be set to NULL. Null dereference happens in the following "skb_transport_offset(skb);" call.