oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Linux kernel: CVE-2022-1516: NULL pointer dereference in Linux kernel`s X.25 network protocol

From: duoming () zju edu cn
Date: Sun, 19 Jun 2022 22:48:04 +0800 (GMT+08:00)
Hello there,

A NULL pointer dereference flaw was found in the Linux kernel’s X.25 set of
standardized network protocols functionality in the way a user terminates 
their session using a simulated Ethernet card and continued usage of this 
connection.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

When the link layer is terminating, x25->neighbour will be set to NULL
in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in
x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is
shown below.

    (Thread 1)                 |  (Thread 2)
x25_link_terminated()          | x25_recvmsg()
 x25_kill_by_neigh()           |  ...
  x25_disconnect()             |  lock_sock(sk)
   ...                         |  ...
   x25->neighbour = NULL //(1) |
   ...                         |  x25->neighbour->extended //(2)

The code sets NULL to x25->neighbour in position (1) and dereferences
x25->neighbour in position (2), which could cause null-ptr-deref bug.

=*=*=*=*=*=*=*=*=  Bug Effects  =*=*=*=*=*=*=*=*=

This flaw allows a local user to crash the system.

=*=*=*=*=*=*=*=*=  Bug Fix  =*=*=*=*=*=*=*=*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/7781607938c8371d4c2b243527430241c62e39c2

=*=*=*=*=*=*=*=*=  Timeline  =*=*=*=*=*=*=*=*=

2022-03-26: commit 7781607938c8 accepted to mainline kernel
2022-03-26: CVE-2022-1516 is assigned

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Duoming Zhou <duoming () zju edu cn>

Best Regards,
Duoming Zhou
Previous By Date Next
Previous By Thread Next

Current thread: