CVE-2025-38181

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().<br /> <br /> syzkaller reported a null-ptr-deref in sock_omalloc() while allocating<br /> a CALIPSO option. [0]<br /> <br /> The NULL is of struct sock, which was fetched by sk_to_full_sk() in<br /> calipso_req_setattr().<br /> <br /> Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"),<br /> reqsk-&gt;rsk_listener could be NULL when SYN Cookie is returned to its<br /> client, as hinted by the leading SYN Cookie log.<br /> <br /> Here are 3 options to fix the bug:<br /> <br /> 1) Return 0 in calipso_req_setattr()<br /> 2) Return an error in calipso_req_setattr()<br /> 3) Alaways set rsk_listener<br /> <br /> 1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie<br /> for CALIPSO. 3) is also no go as there have been many efforts to reduce<br /> atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35<br /> ("tcp/dccp: do not touch listener sk_refcnt under synflood").<br /> <br /> As of the blamed commit, SYN Cookie already did not need refcounting,<br /> and no one has stumbled on the bug for 9 years, so no CALIPSO user will<br /> care about SYN Cookie.<br /> <br /> Let&amp;#39;s return an error in calipso_req_setattr() and calipso_req_delattr()<br /> in the SYN Cookie case.<br /> <br /> This can be reproduced by [1] on Fedora and now connect() of nc times out.<br /> <br /> [0]:<br /> TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]<br /> CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline]<br /> RIP: 0010:sock_net include/net/sock.h:655 [inline]<br /> RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806<br /> Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b<br /> RSP: 0018:ffff88811af89038 EFLAGS: 00010216<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400<br /> RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030<br /> RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e<br /> R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000<br /> R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050<br /> FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0<br /> PKRU: 80000000<br /> Call Trace:<br /> <br /> ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288<br /> calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204<br /> calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597<br /> netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249<br /> selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342<br /> selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551<br /> security_inet_conn_request+0x50/0xa0 security/security.c:4945<br /> tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825<br /> tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275<br /> tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328<br /> tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781<br /> tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667<br /> tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904<br /> ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436<br /> ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> NF_HOOK include/linux/netfilter.h:308 [inline]<br /> ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491<br /> dst_input include/net/dst.h:469 [inline]<br /> ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]<br /> ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69<br /> NF_HOOK include/linux/netfilter.h:314 [inline]<br /> NF_HOOK include/linux/netf<br /> ---truncated---