CVE-2023-53343

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> icmp6: Fix null-ptr-deref of ip6_null_entry-&gt;rt6i_idev in icmp6_dev().<br /> <br /> With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that<br /> has the link-local address as src and dst IP and will be forwarded to<br /> an external IP in the IPv6 Ext Hdr.<br /> <br /> For example, the script below generates a packet whose src IP is the<br /> link-local address and dst is updated to 11::.<br /> <br /> # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 &gt; $f; done<br /> # python3<br /> &gt;&gt;&gt; from socket import *<br /> &gt;&gt;&gt; from scapy.all import *<br /> &gt;&gt;&gt;<br /> &gt;&gt;&gt; SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"<br /> &gt;&gt;&gt;<br /> &gt;&gt;&gt; pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)<br /> &gt;&gt;&gt; pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)<br /> &gt;&gt;&gt;<br /> &gt;&gt;&gt; sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)<br /> &gt;&gt;&gt; sk.sendto(bytes(pkt), (DST_ADDR, 0))<br /> <br /> For such a packet, we call ip6_route_input() to look up a route for the<br /> next destination in these three functions depending on the header type.<br /> <br /> * ipv6_rthdr_rcv()<br /> * ipv6_rpl_srh_rcv()<br /> * ipv6_srh_rcv()<br /> <br /> If no route is found, ip6_null_entry is set to skb, and the following<br /> dst_input(skb) calls ip6_pkt_drop().<br /> <br /> Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)-&gt;rt6i_idev-&gt;dev<br /> as the input device is the loopback interface. Then, we have to check if<br /> skb_rt6_info(skb)-&gt;rt6i_idev is NULL or not to avoid NULL pointer deref<br /> for ip6_null_entry.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)<br /> Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01<br /> RSP: 0018:ffffc90000003c70 EFLAGS: 00000286<br /> RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0<br /> RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18<br /> RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001<br /> R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10<br /> R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0<br /> FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ip6_pkt_drop (net/ipv6/route.c:4513)<br /> ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)<br /> ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))<br /> ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)<br /> __netif_receive_skb_one_core (net/core/dev.c:5455)<br /> process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)<br /> __napi_poll (net/core/dev.c:6460)<br /> net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)<br /> __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)<br /> do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)<br /> <br /> <br /> __local_bh_enable_ip (kernel/softirq.c:381)<br /> __dev_queue_xmit (net/core/dev.c:4231)<br /> ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)<br /> rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)<br /> sock_sendmsg (net/socket.c:725 net/socket.c:748)<br /> __sys_sendto (net/socket.c:2134)<br /> __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> RIP: 0033:0x7f9dc751baea<br /> Code: d8 64 89 02 48 c7 c0 ff f<br /> ---truncated---