|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-42754: kernel: null pointer dereference in Linux kernel ipv4 stack | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | abergmann, denis.kirjanov, gabriele.sonnu, gianluca.gabrielli, mkoutny, mkubecek, rfrohl, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/379113/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-42754:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Comment 5
Michal Kubeček
2023-09-19 18:28:28 UTC
Public via oss-security:
----
Hi there,
I recently found a null pointer dereference in Linux kernel that
affects at least upstream and v6.2.16 and v6.1.y, more versions may be affected.
[Root Cause]
The bug is in "ipv4_send_dest_unreach" function in net/ipv4/route.c.
~~~
static void ipv4_send_dest_unreach(struct sk_buff *skb)
{
...
res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
...
}
~~~
As shown above, this function assumes there is always a device
associated with a sk_buff, which is not always the case. For exmaple,
when the skb is rerouted through ipvs, its skb->dev is NULL. Then the
following `dev_net` call, which accesses `dev->nd_net`, becomes null
pointer dereference.
[Patch]
I have contacted Linux kernel team and prepared a patch for this bug:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=0113d9c9d1cc
Currently, the patch is merged into upstream and added to the stable-queue.
The patch is queued up for v6.5, v6.1, v5.15, v5.10, v5.4, v4.19, v4.14.
A proof-of-concept crash code is attached to this email..
Best,
Kyle Zeng
===================================================================
[ 6.289675] general protection fault, probably for non-canonical
address 0xdffffc0000000096: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 6.292146] KASAN: null-ptr-deref in range
[0x00000000000004b0-0x00000000000004b7]
[ 6.293823] CPU: 0 PID: 509 Comm: poc Not tainted 6.1.47+ #59
[ 6.294699] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[ 6.295151] RIP: 0010:ipv4_link_failure+0x2dc/0x610
[ 6.295423] Code: 80 3c 28 00 48 89 e9 74 12 4c 89 f7 e8 5d e8 bd
fd 48 b9 00 00 00 00 00 fc ff df bd b0 04 00 00 49 03 2e 48 89 e8 48
c1 e8 03 <80> 3c 08 00 74 08 48 89 ef e8 36 e8 bd fd 48 8b 7d 00 48 8d
74 24
[ 6.296423] RSP: 0018:ffff88800bc87530 EFLAGS: 00010206
[ 6.296710] RAX: 0000000000000096 RBX: ffff88800af22c04 RCX: dffffc0000000000
[ 6.297096] RDX: dffffc0000000000 RSI: 00000000fffffff8 RDI: ffff88800bc87578
[ 6.297482] RBP: 00000000000004b0 R08: dffffc0000000000 R09: ffff88800bc87570
[ 6.297868] R10: dfffe91001790eb1 R11: 1ffff11001790eae R12: ffff88800af22b40
[ 6.298282] R13: 1ffff110015e4576 R14: ffff88800af22b50 R15: 1ffff110015e4576
[ 6.298679] FS: 00000000032493c0(0000) GS:ffff888034e00000(0000)
knlGS:0000000000000000
[ 6.299123] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.299442] CR2: 0000000000404dfe CR3: 000000000d492004 CR4: 0000000000770ef0
[ 6.299841] PKRU: 55555554
[ 6.299995] Call Trace:
[ 6.300137] <TASK>
[ 6.300259] ? __die_body+0x67/0xb0
[ 6.300455] ? die_addr+0xb2/0xe0
[ 6.300641] ? exc_general_protection+0x27f/0x3c0
[ 6.300902] ? asm_exc_general_protection+0x22/0x30
[ 6.301167] ? ipv4_link_failure+0x2dc/0x610
[ 6.301398] __ip_vs_get_out_rt+0x54a/0x1060
[ 6.301629] ? kasan_save_free_info+0x27/0x40
[ 6.301871] ip_vs_nat_xmit+0x144/0x800
[ 6.302114] ? ip_vs_in_stats+0x1ca/0x2d0
[ 6.302334] ip_vs_in_hook+0xc13/0x1b20
[ 6.302546] ? ip_vs_out_hook+0xd70/0xd70
[ 6.302767] nf_hook_slow+0xb4/0x190
[ 6.302963] __ip_local_out+0x347/0x450
[ 6.303171] ? __ip_local_out+0x450/0x450
[ 6.303387] ip_send_skb+0x48/0x110
[ 6.303589] udp_send_skb+0x6e4/0x1370
[ 6.303805] udp_sendmsg+0x16ba/0x2850
[ 6.304016] ? ip_skb_dst_mtu+0x5e0/0x5e0
[ 6.304250] ? inet_send_prepare+0x2f0/0x2f0
[ 6.304492] ____sys_sendmsg+0x560/0x6d0
[ 6.304726] __sys_sendmsg+0x1bd/0x240
[ 6.304959] do_syscall_64+0x67/0x90
[ 6.305165] ? exit_to_user_mode_prepare+0x12/0xa0
[ 6.305429] ? syscall_exit_to_user_mode+0x28/0x150
[ 6.305701] ? do_syscall_64+0x75/0x90
[ 6.305915] ? exit_to_user_mode_prepare+0x12/0xa0
[ 6.306199] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 6.306485] RIP: 0033:0x474087
[ 6.306690] Code: ff ff f7 d8 64 89 02 b8 ff ff ff ff eb b8 0f 1f
44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74
24 10
[ 6.308329] RSP: 002b:00007ffe8e9dce28 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 6.308792] RAX: ffffffffffffffda RBX: 00007ffe8e9dd0a8 RCX: 0000000000474087
[ 6.309199] RDX: 0000000000000000 RSI: 00007ffe8e9dce40 RDI: 0000000000000006
[ 6.309629] RBP: 00007ffe8e9dcea0 R08: 0000000000000004 R09: 000000000324b480
[ 6.310071] R10: 00007ffe8e9dce30 R11: 0000000000000246 R12: 0000000000000001
[ 6.310451] R13: 00007ffe8e9dd098 R14: 00000000004fd740 R15: 0000000000000002
[ 6.310869] </TASK>
[ 6.311002] Modules linked in:
[ 6.311222] ---[ end trace 0000000000000000 ]---
[ 6.311493] RIP: 0010:ipv4_link_failure+0x2dc/0x610
[ 6.311807] Code: 80 3c 28 00 48 89 e9 74 12 4c 89 f7 e8 5d e8 bd
fd 48 b9 00 00 00 00 00 fc ff df bd b0 04 00 00 49 03 2e 48 89 e8 48
c1 e8 03 <80> 3c 08 00 74 08 48 89 ef e8 36 e8 bd fd 48 8b 7d 00 48 8d
74 24
[ 6.312941] RSP: 0018:ffff88800bc87530 EFLAGS: 00010206
[ 6.313283] RAX: 0000000000000096 RBX: ffff88800af22c04 RCX: dffffc0000000000
[ 6.313766] RDX: dffffc0000000000 RSI: 00000000fffffff8 RDI: ffff88800bc87578
[ 6.314248] RBP: 00000000000004b0 R08: dffffc0000000000 R09: ffff88800bc87570
[ 6.314676] R10: dfffe91001790eb1 R11: 1ffff11001790eae R12: ffff88800af22b40
[ 6.315138] R13: 1ffff110015e4576 R14: ffff88800af22b50 R15: 1ffff110015e4576
[ 6.315591] FS: 00000000032493c0(0000) GS:ffff888034e00000(0000)
knlGS:0000000000000000
[ 6.316130] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.316501] CR2: 0000000000404dfe CR3: 000000000d492004 CR4: 0000000000770ef0
[ 6.316979] PKRU: 55555554
[ 6.317146] Kernel panic - not syncing: Fatal exception
[ 6.317688] Kernel Offset: disabled
[ 6.317910] Rebooting in 1000 seconds..
bsc#1215467 CVE-2023-42754 introduced ed0de45a1008 5.1-rc6 fixed 0113d9c9d1cc 6.6-rc3 The offending commit has been also backported to 4.12 based branches and SLE12-SP3-LTSS. The fix has been submitted to all relevant branches: stable a4ade06dd52a (merged) SLE15-SP6 de822059ff44 (merged) SLE15-SP4 ad87dd3ac8ea (merged) cve/linux-5.3 ecc7c7a32385 cve/linux-4.12 3bbdd9178228 (merged) SLE12-SP3-LTSS 38dd1a154336 Reassigning back to security team. SUSE-SU-2023:4031-1: An update that solves 13 vulnerabilities, contains one feature and has 39 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1109837, 1152446, 1154048, 1207168, 1208995, 1210169, 1212703, 1213016, 1214157, 1214380, 1214386, 1214586, 1214940, 1214943, 1214945, 1214946, 1214948, 1214949, 1214950, 1214952, 1214953, 1214961, 1214962, 1214964, 1214965, 1214966, 1214967, 1215115, 1215117, 1215121, 1215122, 1215136, 1215149, 1215152, 1215162, 1215164, 1215165, 1215207, 1215221, 1215275, 1215299, 1215467, 1215607, 1215634, 1215858, 1215860, 1215861, 1215877, 1215897, 1215898, 1215954 CVE References: CVE-2020-36766, CVE-2023-0394, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Jira References: PED-5021 Sources used: SUSE Linux Enterprise Live Patching 12-SP5 (src): kgraft-patch-SLE12-SP5_Update_49-1-8.3.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): kernel-obs-build-4.12.14-122.179.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 SUSE Linux Enterprise Server 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): kernel-source-4.12.14-122.179.1, kernel-syms-4.12.14-122.179.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4033-1: An update that solves 12 vulnerabilities and has 39 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1109837, 1152446, 1154048, 1208995, 1210169, 1212703, 1213016, 1214157, 1214380, 1214386, 1214586, 1214940, 1214943, 1214945, 1214946, 1214948, 1214949, 1214950, 1214952, 1214953, 1214961, 1214962, 1214964, 1214965, 1214966, 1214967, 1215115, 1215117, 1215121, 1215122, 1215136, 1215149, 1215152, 1215162, 1215164, 1215165, 1215207, 1215221, 1215275, 1215299, 1215467, 1215607, 1215634, 1215858, 1215860, 1215861, 1215877, 1215897, 1215898, 1215954 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Real Time 12 SP5 (src): kernel-syms-rt-4.12.14-10.144.1, kernel-source-rt-4.12.14-10.144.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957 CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345 Jira References: PED-1549, PED-2023, PED-2025 Sources used: openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4347-1: An update that solves 17 vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1208995, 1210169, 1210778, 1212703, 1214233, 1214380, 1214386, 1215115, 1215117, 1215221, 1215275, 1215299, 1215467, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-31085, CVE-2023-34324, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-42754, CVE-2023-45862, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP1 (src): kernel-livepatch-SLE15-SP1_Update_45-1-150100.3.3.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 SUSE CaaS Platform 4.0 (src): kernel-obs-build-4.12.14-150100.197.160.1, kernel-syms-4.12.14-150100.197.160.1, kernel-source-4.12.14-150100.197.160.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4348-1: An update that solves 11 vulnerabilities and has three security fixes can now be installed. Category: security (important) Bug References: 1210778, 1210853, 1212051, 1214842, 1215095, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051, 1216134 CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-3111, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-45862 Sources used: openSUSE Leap 15.3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2, kernel-obs-qa-5.3.18-150300.59.141.1, kernel-source-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-livepatch-SLE15-SP3_Update_38-1-150300.7.3.2 SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_38-1-150300.7.3.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2 SUSE Manager Proxy 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1 SUSE Manager Retail Branch Server 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1 SUSE Manager Server 4.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1 SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.141.1, kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2, kernel-source-5.3.18-150300.59.141.1, kernel-obs-build-5.3.18-150300.59.141.2 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.141.2.150300.18.82.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4358-1: An update that solves nine vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212051, 1214842, 1215095, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046 CVE References: CVE-2023-2163, CVE-2023-3111, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2023:4377-1: An update that solves 10 vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1210778, 1210853, 1212051, 1215467, 1215518, 1215745, 1215858, 1215860, 1215861, 1216046, 1216051, 1216134 CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-3111, CVE-2023-34324, CVE-2023-39189, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-42754, CVE-2023-45862 Sources used: SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_42-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.169.1, kernel-source-5.3.18-150200.24.169.1, kernel-syms-5.3.18-150200.24.169.1, kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. *** Bug 1220875 has been marked as a duplicate of this bug. *** done, closing |