A null pointer dereference in Linux kernel that affects multiple kernel versions. The bug is in "rawv6_push_pending_frames" function in net/ipv6/raw.c. According to Herbert Xu, who fixed the bug, the root cause is that "total_len = inet_sk(sk)->cork.base.length" in this function also counts the length of the extension header (+ the amount of valid data in the socket cork queue). In the vulnerable version of the function, it directly uses the length as the amount of data in the cork queue. In the following code: struct sk_buff *csum_skb = NULL; ... skb_queue_walk(&sk->sk_write_queue, skb) { ... if (offset >= len) { offset -= len; continue; } csum_skb = skb; } skb = csum_skb; If the `offset` is larger than the amount of data in the socket cork queue but smaller than valid data length + extension header length, then the loop shown above will always enter the "if (offset >= len)" branch. As a result, csum_skb will never be set. Consequently, the final skb variable will be set to NULL. Null dereference happens in the following "skb_transport_offset(skb);" call.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0394
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412