Bug 1290475 - (CVE-2015-8543) CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference
CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151209,repor...
: Reopened, Security
Depends On: 1290477 1291618 1291627 1293673 1334846 1334847
Blocks: 1290479
  Show dependency treegraph
 
Reported: 2015-12-10 10:56 EST by Adam Mariš
Modified: 2016-11-10 09:08 EST (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 11:28:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-10 10:56:57 EST
It was found that in net/ipv4/af_inet.c, PC will contain 0x0 if sk->sk_prot->get_port is NULL, leading to kernel null pointer dereference.

Vulnerable code:

static int inet_autobind(struct sock *sk)
{
         struct inet_sock *inet;
         /* We may need to bind the socket. */
         lock_sock(sk);
         inet = inet_sk(sk);
         if (!inet->inet_num) {
                   if (sk->sk_prot->get_port(sk, 0)) {
                            release_sock(sk);
                            return -EAGAIN;
                   }
                   inet->inet_sport = htons(inet->inet_num);
         }
         release_sock(sk);
         return 0;
}

CVE request (contains reproducer):

http://seclists.org/oss-sec/2015/q4/458
Comment 1 Adam Mariš 2015-12-10 10:59:01 EST
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1290477]
Comment 2 Adam Mariš 2015-12-14 05:41:42 EST
This issue got CVE-2015-8543 for Android kernel. Linux kernel might get as well if bugs appear when sk->sk_prot->get_port is NULL.

http://seclists.org/oss-sec/2015/q4/473
Comment 4 Vladis Dronov 2015-12-18 07:27:47 EST
Description:

A flaw was found in the kernel network stack in the inet_autobind() function in the net/ipv4/af_inet.c file. AF_INET and AF_INET6 sockets only support 8-bit protocol identifiers, thus if larger protocol identifier is provided, the higher bits are cut off. A connect() call on the incorrectly created SOCK_RAW socket could lead to the NULL function call. SOCK_RAW socket can be created by an unprivileged user if the kernel supports CLONE_NEWUSER or by an unprivileged user with CAP_NET_RAW capability. If the system settings allow allocation of the memory page with address zero this can lead to an arbitrary code execution and priviliges escalation, otherwise to the kernel crash and DoS.

References:

http://seclists.org/oss-sec/2015/q4/456
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9
Comment 6 Vladis Dronov 2015-12-18 07:33:38 EST
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address the issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 9 Fedora Update System 2015-12-22 02:20:57 EST
kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-12-22 17:02:07 EST
kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2016-05-10 19:29:28 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html
Comment 15 errata-xmlrpc 2016-11-03 10:41:05 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 16 errata-xmlrpc 2016-11-03 15:38:37 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 17 errata-xmlrpc 2016-11-03 17:30:27 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 18 errata-xmlrpc 2016-11-03 17:46:02 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Note You need to log in before you can comment on or make changes to this bug.