CVE-2021-47572
Severity:
MEDIUM
Type:
CWE-476
NULL Pointer Dereference
Publication date:
24/05/2024
Last modified:
10/06/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: nexthop: fix null pointer dereference when IPv6 is not enabled<br />
<br />
When we try to add an IPv6 nexthop and IPv6 is not enabled<br />
(!CONFIG_IPV6) we&#39;ll hit a NULL pointer dereference[1] in the error path<br />
of nh_create_ipv6() due to calling ipv6_stub->fib6_nh_release. The bug<br />
has been present since the beginning of IPv6 nexthop gateway support.<br />
Commit 1aefd3de7bc6 ("ipv6: Add fib6_nh_init and release to stubs") tells<br />
us that only fib6_nh_init has a dummy stub because fib6_nh_release should<br />
not be called if fib6_nh_init returns an error, but the commit below added<br />
a call to ipv6_stub->fib6_nh_release in its error path. To fix it return<br />
the dummy stub&#39;s -EAFNOSUPPORT error directly without calling<br />
ipv6_stub->fib6_nh_release in nh_create_ipv6()&#39;s error path.<br />
<br />
[1]<br />
Output is a bit truncated, but it clearly shows the error.<br />
BUG: kernel NULL pointer dereference, address: 000000000000000000<br />
#PF: supervisor instruction fetch in kernel modede<br />
#PF: error_code(0x0010) - not-present pagege<br />
PGD 0 P4D 0<br />
Oops: 0010 [#1] PREEMPT SMP NOPTI<br />
CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014<br />
RIP: 0010:0x0<br />
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.<br />
RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac<br />
RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000<br />
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860<br />
RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000<br />
R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f<br />
R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840<br />
FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0<br />
Call Trace:<br />
<br />
nh_create_ipv6+0xed/0x10c<br />
rtm_new_nexthop+0x6d7/0x13f3<br />
? check_preemption_disabled+0x3d/0xf2<br />
? lock_is_held_type+0xbe/0xfd<br />
rtnetlink_rcv_msg+0x23f/0x26a<br />
? check_preemption_disabled+0x3d/0xf2<br />
? rtnl_calcit.isra.0+0x147/0x147<br />
netlink_rcv_skb+0x61/0xb2<br />
netlink_unicast+0x100/0x187<br />
netlink_sendmsg+0x37f/0x3a0<br />
? netlink_unicast+0x187/0x187<br />
sock_sendmsg_nosec+0x67/0x9b<br />
____sys_sendmsg+0x19d/0x1f9<br />
? copy_msghdr_from_user+0x4c/0x5e<br />
? rcu_read_lock_any_held+0x2a/0x78<br />
___sys_sendmsg+0x6c/0x8c<br />
? asm_sysvec_apic_timer_interrupt+0x12/0x20<br />
? lockdep_hardirqs_on+0xd9/0x102<br />
? sockfd_lookup_light+0x69/0x99<br />
__sys_sendmsg+0x50/0x6e<br />
do_syscall_64+0xcb/0xf2<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
RIP: 0033:0x7f98dea28914<br />
Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53<br />
RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e2e<br />
RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914<br />
RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003<br />
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008<br />
R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001<br />
R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0<br />
<br />
Modules linked in: bridge stp llc bonding virtio_net
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.3 (including) | 5.4.163 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.83 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page