Bug 1825116 (CVE-2020-10711) - CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic
Summary: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIP...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10711
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1827226 1827227 1827228 1827229 1827230 1827231 1827233 1827234 1827235 1827236 1827237 1827238 1827239 1827240 1827241 1827242 1827243 1827244 1827245 1827246 1827247 1827248 1827249 1827250 1827251 1827328 1827329 1827330 1827331 1827332 1828336 1828337 1834778
Blocks: 1824404
TreeView+ depends on / blocked
 
Reported: 2020-04-17 06:32 UTC by Marian Rehak
Modified: 2021-04-23 12:09 UTC (History)
60 users (show)

Fixed In Version: kernel-5.7
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-05-12 16:32:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2172 0 None None None 2020-05-18 01:01:28 UTC
Red Hat Product Errata RHBA-2020:2173 0 None None None 2020-05-18 02:22:20 UTC
Red Hat Product Errata RHBA-2020:2233 0 None None None 2020-05-20 12:27:42 UTC
Red Hat Product Errata RHBA-2020:2578 0 None None None 2020-06-16 11:55:43 UTC
Red Hat Product Errata RHSA-2020:2082 0 None None None 2020-05-12 18:38:32 UTC
Red Hat Product Errata RHSA-2020:2085 0 None None None 2020-05-12 18:38:44 UTC
Red Hat Product Errata RHSA-2020:2102 0 None None None 2020-05-12 15:27:12 UTC
Red Hat Product Errata RHSA-2020:2103 0 None None None 2020-05-12 15:33:50 UTC
Red Hat Product Errata RHSA-2020:2104 0 None None None 2020-05-12 15:12:47 UTC
Red Hat Product Errata RHSA-2020:2125 0 None None None 2020-05-13 07:44:03 UTC
Red Hat Product Errata RHSA-2020:2171 0 None None None 2020-05-14 19:07:02 UTC
Red Hat Product Errata RHSA-2020:2199 0 None None None 2020-05-19 12:38:08 UTC
Red Hat Product Errata RHSA-2020:2203 0 None None None 2020-05-19 12:38:52 UTC
Red Hat Product Errata RHSA-2020:2214 0 None None None 2020-05-19 14:41:35 UTC
Red Hat Product Errata RHSA-2020:2242 0 None None None 2020-05-20 17:35:42 UTC
Red Hat Product Errata RHSA-2020:2277 0 None None None 2020-05-26 09:39:56 UTC
Red Hat Product Errata RHSA-2020:2285 0 None None None 2020-05-26 08:48:36 UTC
Red Hat Product Errata RHSA-2020:2289 0 None None None 2020-05-26 11:17:21 UTC
Red Hat Product Errata RHSA-2020:2291 0 None None None 2020-05-26 11:17:37 UTC
Red Hat Product Errata RHSA-2020:2429 0 None None None 2020-06-09 18:45:06 UTC
Red Hat Product Errata RHSA-2020:2519 0 None None None 2020-06-11 01:33:23 UTC
Red Hat Product Errata RHSA-2020:2522 0 None None None 2020-06-11 02:10:23 UTC

Description Marian Rehak 2020-04-17 06:32:45 UTC
A NULL pointer dereference issue was found in the Linux kernel's SELinux subsystem. It occurs while importing  the Commercial IP Security Option (CIPSO) protocol's category bitmap into SELinux's extensible bitmap via 'ebitmap_netlbl_import' routine. While parsing the CIPSO restricted bitmap tag in 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that category bitmap is present, even if it has not been allocated. This leads to the said NULL pointer dereference issue while importing the same category bitmap into SELinux. A remote network user could use this flaw to crash the system kernel resulting in DoS scenario.

This issue was introduced by upstream commit:
  -> https://git.kernel.org/linus/4b8feff251da3d7058b5779e21b33a85c686b974
     netlabel: fix the horribly broken catmap functions


Upstream patch:
---------------
  -> https://lore.kernel.org/netdev/07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni@redhat.com/T/#u

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/05/12/2

Comment 3 Prasad Pandit 2020-04-23 12:48:57 UTC
Acknowledgments:

Name: Matthew Sheets (gd-ms.com)

Comment 11 Prasad Pandit 2020-05-07 19:31:11 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

This issue can only be resolved by applying updates.

Comment 12 Prasad Pandit 2020-05-12 12:08:00 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1834778]

Comment 13 errata-xmlrpc 2020-05-12 15:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104

Comment 14 errata-xmlrpc 2020-05-12 15:27:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2102 https://access.redhat.com/errata/RHSA-2020:2102

Comment 15 errata-xmlrpc 2020-05-12 15:33:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2103 https://access.redhat.com/errata/RHSA-2020:2103

Comment 16 Product Security DevOps Team 2020-05-12 16:32:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10711

Comment 17 errata-xmlrpc 2020-05-12 18:38:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2082 https://access.redhat.com/errata/RHSA-2020:2082

Comment 18 errata-xmlrpc 2020-05-12 18:38:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2085 https://access.redhat.com/errata/RHSA-2020:2085

Comment 20 errata-xmlrpc 2020-05-13 07:43:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2125 https://access.redhat.com/errata/RHSA-2020:2125

Comment 23 errata-xmlrpc 2020-05-14 19:06:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2171 https://access.redhat.com/errata/RHSA-2020:2171

Comment 25 errata-xmlrpc 2020-05-19 12:37:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2199 https://access.redhat.com/errata/RHSA-2020:2199

Comment 26 errata-xmlrpc 2020-05-19 12:38:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2203 https://access.redhat.com/errata/RHSA-2020:2203

Comment 27 errata-xmlrpc 2020-05-19 14:41:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:2214 https://access.redhat.com/errata/RHSA-2020:2214

Comment 28 errata-xmlrpc 2020-05-20 17:35:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:2242 https://access.redhat.com/errata/RHSA-2020:2242

Comment 30 errata-xmlrpc 2020-05-26 08:48:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2285 https://access.redhat.com/errata/RHSA-2020:2285

Comment 31 errata-xmlrpc 2020-05-26 09:39:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2277 https://access.redhat.com/errata/RHSA-2020:2277

Comment 32 errata-xmlrpc 2020-05-26 11:17:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289

Comment 33 errata-xmlrpc 2020-05-26 11:17:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2291 https://access.redhat.com/errata/RHSA-2020:2291

Comment 38 errata-xmlrpc 2020-06-09 18:45:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2429 https://access.redhat.com/errata/RHSA-2020:2429

Comment 39 Petr Matousek 2020-06-10 11:39:48 UTC
Statement:

This issue affects the versions of the kernel packages as shipped with the Red Hat Enterprise Linux 6 starting with the Red Hat Enterprise Linux 6.7 GA version kernel-2.6.32-573 . Prior Red Hat Enterprise Linux 6 kernel versions are not affected.

Comment 40 errata-xmlrpc 2020-06-11 01:33:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2519 https://access.redhat.com/errata/RHSA-2020:2519

Comment 41 errata-xmlrpc 2020-06-11 02:10:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522


Note You need to log in before you can comment on or make changes to this bug.