Hello,
Linux kernel built with the TCP/IP networking support(CONFIG_NET) is vulnerable to a NULL pointer dereference flaw. It could occur via a plain read(2) call on a ping socket. Usage of ping sockets is generally restricted to privileged users.
A user/program able to read from ping sockets could use this flaw to crash a
system resulting in DoS.
Upstream fix:
-------------
-> https://git.kernel.org/linus/cf970c002d270c36202bd5b9c2804d3097a52da0
-rw-r--r-- net/ipv4/ping.c 34
1 files changed, 19 insertions, 15 deletions
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index aacefa0..91bfe04 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -870,11 +870,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
if (family == AF_INET) {
struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
- sin->sin_family = AF_INET;
- sin->sin_port = 0 /* skb->h.uh->source */;
- sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
- memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
- *addr_len = sizeof(*sin);
+ if (sin) {
+ sin->sin_family = AF_INET;
+ sin->sin_port = 0 /* skb->h.uh->source */;
+ sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+ *addr_len = sizeof(*sin);
+ }
if (isk->cmsg_flags)
ip_cmsg_recv(msg, skb);
@@ -886,16 +888,18 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
struct sockaddr_in6 *sin6 =
(struct sockaddr_in6 *)msg->msg_name;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_port = 0;
- sin6->sin6_addr = ip6->saddr;
- sin6->sin6_flowinfo = 0;
- if (np->sndflow)
- sin6->sin6_flowinfo = ip6_flowinfo(ip6);
-
- sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
- IP6CB(skb)->iif);
- *addr_len = sizeof(*sin6);
+ if (sin6) {
+ sin6->sin6_family = AF_INET6;
+ sin6->sin6_port = 0;
+ sin6->sin6_addr = ip6->saddr;
+ sin6->sin6_flowinfo = 0;
+ if (np->sndflow)
+ sin6->sin6_flowinfo = ip6_flowinfo(ip6);
+ sin6->sin6_scope_id =
+ ipv6_iface_scope_id(&sin6->sin6_addr,
+ IP6CB(skb)->iif);
+ *addr_len = sizeof(*sin6);
+ }
if (inet6_sk(sk)->rxopt.all)
pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb);
Reference:
----------
-> https://bugzilla.redhat.com/show_bug.cgi?id=1039046
Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
