Bug 2221501 (CVE-2023-3106) - CVE-2023-3106 kernel: Netlink socket crash (null pointer deref) in netlink_dump function
Summary: CVE-2023-3106 kernel: Netlink socket crash (null pointer deref) in netlink_du...
Alias: CVE-2023-3106
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2221502 2221503 2222176
Blocks: 2211870
TreeView+ depends on / blocked
Reported: 2023-07-09 14:55 UTC by Alex
Modified: 2023-09-22 19:17 UTC (History)
47 users (show)

Fixed In Version: kernel 4.8-rc7
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference vulnerability was found in netlink_dump. This issue can occur when the Netlink socket receives the message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message, and the DUMP flag is set and can cause a denial of service or possibly another unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely.
Clone Of:
Last Closed: 2023-07-12 11:39:41 UTC

Attachments (Terms of Use)

Description Alex 2023-07-09 14:55:38 UTC
A flaw in the Linux Kernel found in netlink_dump. When the Netlink socket receives the message(sendmsg), for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type message and the DUMP flag is set, it will enter the netlink_dump function for processing. When sending data to the socket multiple times, it will make sk->sk_rmem_alloc continues to accumulate, and eventually atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf will be judged as True, skipping the initialization of netlink_callback->args.


Comment 4 Alex 2023-07-12 07:04:02 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2222176]

Comment 6 Product Security DevOps Team 2023-07-12 11:39:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 7 Justin M. Forbes 2023-07-18 18:33:34 UTC
This was fixed for Fedora with 4.8 kernel updates in 2016.

Note You need to log in before you can comment on or make changes to this bug.