It was found that in net/ipv4/af_inet.c, PC will contain 0x0 if sk->sk_prot->get_port is NULL, leading to kernel null pointer dereference. Vulnerable code: static int inet_autobind(struct sock *sk) { struct inet_sock *inet; /* We may need to bind the socket. */ lock_sock(sk); inet = inet_sk(sk); if (!inet->inet_num) { if (sk->sk_prot->get_port(sk, 0)) { release_sock(sk); return -EAGAIN; } inet->inet_sport = htons(inet->inet_num); } release_sock(sk); return 0; } CVE request (contains reproducer): http://seclists.org/oss-sec/2015/q4/458
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1290477]
This issue got CVE-2015-8543 for Android kernel. Linux kernel might get as well if bugs appear when sk->sk_prot->get_port is NULL. http://seclists.org/oss-sec/2015/q4/473
Upstream bugfix: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
Description: A flaw was found in the kernel network stack in the inet_autobind() function in the net/ipv4/af_inet.c file. AF_INET and AF_INET6 sockets only support 8-bit protocol identifiers, thus if larger protocol identifier is provided, the higher bits are cut off. A connect() call on the incorrectly created SOCK_RAW socket could lead to the NULL function call. SOCK_RAW socket can be created by an unprivileged user if the kernel supports CLONE_NEWUSER or by an unprivileged user with CAP_NET_RAW capability. If the system settings allow allocation of the memory page with address zero this can lead to an arbitrary code execution and priviliges escalation, otherwise to the kernel crash and DoS. References: http://seclists.org/oss-sec/2015/q4/456 https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address the issue. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html