Bug 1290475 (CVE-2015-8543) - CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference
Summary: CVE-2015-8543 kernel: IPv6 connect causes DoS via NULL pointer dereference
Status: NEW
Alias: CVE-2015-8543
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20151209,repor...
Keywords: Reopened, Security
Depends On: 1290477 1291618 1291627 1293673 1334846 1334847
Blocks: 1290479
TreeView+ depends on / blocked
 
Reported: 2015-12-10 15:56 UTC by Adam Mariš
Modified: 2018-08-28 22:01 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 16:28:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0855 normal SHIPPED_LIVE Moderate: kernel security, bug fix, and enhancement update 2016-05-10 22:43:57 UTC
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Adam Mariš 2015-12-10 15:56:57 UTC
It was found that in net/ipv4/af_inet.c, PC will contain 0x0 if sk->sk_prot->get_port is NULL, leading to kernel null pointer dereference.

Vulnerable code:

static int inet_autobind(struct sock *sk)
{
         struct inet_sock *inet;
         /* We may need to bind the socket. */
         lock_sock(sk);
         inet = inet_sk(sk);
         if (!inet->inet_num) {
                   if (sk->sk_prot->get_port(sk, 0)) {
                            release_sock(sk);
                            return -EAGAIN;
                   }
                   inet->inet_sport = htons(inet->inet_num);
         }
         release_sock(sk);
         return 0;
}

CVE request (contains reproducer):

http://seclists.org/oss-sec/2015/q4/458

Comment 1 Adam Mariš 2015-12-10 15:59:01 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1290477]

Comment 2 Adam Mariš 2015-12-14 10:41:42 UTC
This issue got CVE-2015-8543 for Android kernel. Linux kernel might get as well if bugs appear when sk->sk_prot->get_port is NULL.

http://seclists.org/oss-sec/2015/q4/473

Comment 4 Vladis Dronov 2015-12-18 12:27:47 UTC
Description:

A flaw was found in the kernel network stack in the inet_autobind() function in the net/ipv4/af_inet.c file. AF_INET and AF_INET6 sockets only support 8-bit protocol identifiers, thus if larger protocol identifier is provided, the higher bits are cut off. A connect() call on the incorrectly created SOCK_RAW socket could lead to the NULL function call. SOCK_RAW socket can be created by an unprivileged user if the kernel supports CLONE_NEWUSER or by an unprivileged user with CAP_NET_RAW capability. If the system settings allow allocation of the memory page with address zero this can lead to an arbitrary code execution and priviliges escalation, otherwise to the kernel crash and DoS.

References:

http://seclists.org/oss-sec/2015/q4/456
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9

Comment 6 Vladis Dronov 2015-12-18 12:33:38 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future updates for the respective releases may address the issue.

This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 9 Fedora Update System 2015-12-22 07:20:57 UTC
kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-12-22 22:02:07 UTC
kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2016-05-10 23:29:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0855 https://rhn.redhat.com/errata/RHSA-2016-0855.html

Comment 15 errata-xmlrpc 2016-11-03 14:41:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 16 errata-xmlrpc 2016-11-03 19:38:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 17 errata-xmlrpc 2016-11-03 21:30:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 18 errata-xmlrpc 2016-11-03 21:46:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html


Note You need to log in before you can comment on or make changes to this bug.