diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-21 10:48:02 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2016-01-21 10:57:54 -0500 |
commit | 7c29b476ebbec7d76faa9697b8f96b47a5c7c557 (patch) | |
tree | 4ca437e1162f5d290e0ad3f6d0582d136f856032 | |
parent | 1d0b1549f67944b63e4483fc3b83968cda293d84 (diff) | |
download | kernel-7c29b476ebbec7d76faa9697b8f96b47a5c7c557.tar.gz kernel-7c29b476ebbec7d76faa9697b8f96b47a5c7c557.tar.xz kernel-7c29b476ebbec7d76faa9697b8f96b47a5c7c557.zip |
CVE-XXXX-XXXX missing null ptr check in nf_nat_redirect_ipv4 (rhbz 1300731 1300732)
-rw-r--r-- | kernel.spec | 7 | ||||
-rw-r--r-- | netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch | 83 |
2 files changed, 90 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 9ef0e56af..90c0dfd6e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -701,6 +701,9 @@ Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch #rhbz 1279653 Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch +#CVE-XXXX-XXXX rhbz 1300731 1300732 +Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch + # END OF PATCH DEFINITIONS %endif @@ -1466,6 +1469,9 @@ ApplyPatch tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch #rhbz 1279653 ApplyPatch rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch +#CVE-XXXX-XXXX rhbz 1300731 1300732 +ApplyPatch netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch + # END OF PATCH APPLICATIONS %endif @@ -2316,6 +2322,7 @@ fi # %changelog * Thu Jan 21 2016 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-XXXX-XXXX missing null ptr check in nf_nat_redirect_ipv4 (rhbz 1300731 1300732) - Fix incorrect country code issue on RTL8812AE devices (rhbz 1279653) * Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org> diff --git a/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch b/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch new file mode 100644 index 000000000..3b2031981 --- /dev/null +++ b/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch @@ -0,0 +1,83 @@ +From f9688b8f6755c3c2eb5c7e2e22ab168d0cb97644 Mon Sep 17 00:00:00 2001 +From: Munehisa Kamata <kamatam@amazon.com> +Date: Mon, 26 Oct 2015 19:10:52 -0700 +Subject: [PATCH] netfilter: nf_nat_redirect: add missing NULL pointer check + +Upstream commit 94f9cd81436c85d8c3a318ba92e236ede73752fc + +Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT +redirect IPv4 to use it from nf_tables") has introduced a trivial logic +change which can result in the following crash. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect] +PGD 3ba662067 PUD 3ba661067 PMD 0 +Oops: 0000 [#1] SMP +Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) +CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86_64 #1 +Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015 +task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000 +[...] +Call Trace: + <IRQ> + [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT] + [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables] + [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat] + [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4] + [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat] + [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4] + [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat] + [<ffffffff81449137>] nf_iterate+0x57/0x80 + [<ffffffff814491f7>] nf_hook_slow+0x97/0x100 + [<ffffffff814504d4>] ip_rcv+0x314/0x400 + +unsigned int +nf_nat_redirect_ipv4(struct sk_buff *skb, +... +{ +... + rcu_read_lock(); + indev = __in_dev_get_rcu(skb->dev); + if (indev != NULL) { + ifa = indev->ifa_list; + newdst = ifa->ifa_local; <--- + } + rcu_read_unlock(); +... +} + +Before the commit, 'ifa' had been always checked before access. After the +commit, however, it could be accessed even if it's NULL. Interestingly, +this was once fixed in 2003. + +http://marc.info/?l=netfilter-devel&m=106668497403047&w=2 + +In addition to the original one, we have seen the crash when packets that +need to be redirected somehow arrive on an interface which hasn't been +yet fully configured. + +This change just reverts the logic to the old behavior to avoid the crash. + +Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables") +Signed-off-by: Munehisa Kamata <kamatam@amazon.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/netfilter/nf_nat_redirect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c +index 97b75f9bfbcd..d43869879fcf 100644 +--- a/net/netfilter/nf_nat_redirect.c ++++ b/net/netfilter/nf_nat_redirect.c +@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb, + + rcu_read_lock(); + indev = __in_dev_get_rcu(skb->dev); +- if (indev != NULL) { ++ if (indev && indev->ifa_list) { + ifa = indev->ifa_list; + newdst = ifa->ifa_local; + } +-- +2.5.0 + |