Home

Description

In the Linux kernel, the following vulnerability has been resolved: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that has the link-local address as src and dst IP and will be forwarded to an external IP in the IPv6 Ext Hdr. For example, the script below generates a packet whose src IP is the link-local address and dst is updated to 11::. # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done # python3 >>> from socket import * >>> from scapy.all import * >>> >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" >>> >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) >>> >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) For such a packet, we call ip6_route_input() to look up a route for the next destination in these three functions depending on the header type. * ipv6_rthdr_rcv() * ipv6_rpl_srh_rcv() * ipv6_srh_rcv() If no route is found, ip6_null_entry is set to skb, and the following dst_input(skb) calls ip6_pkt_drop(). Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev as the input device is the loopback interface. Then, we have to check if skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref for ip6_null_entry. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> ip6_pkt_drop (net/ipv6/route.c:4513) ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) __netif_receive_skb_one_core (net/core/dev.c:5455) process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) __napi_poll (net/core/dev.c:6460) net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:381) __dev_queue_xmit (net/core/dev.c:4231) ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) sock_sendmsg (net/socket.c:725 net/socket.c:748) __sys_sendto (net/socket.c:2134) __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7f9dc751baea Code: d8 64 89 02 48 c7 c0 ff f ---truncated---

PUBLISHED Reserved 2025-09-16 | Published 2025-09-17 | Updated 2025-09-17 | Assigner Linux

Product status

Default status
unaffected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 8803c59fde4dd370a627dfbf7183682fa0cabf70
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 61b4c4659746959056450b92a5d7e6bc1243b31b
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before d30ddd7ff15df9d91a793ce3f06f0190ff7afacc
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 1462e9d9aa52d14665eaca6d89d22c4af44ede04
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before aa657d319e6c7502a4eb85cc0ee80cc81b8e5724
affected

4832c30d5458387ff2533ff66fbde26ad8bb5a2d (git) before 2aaa8a15de73874847d62eb595c6683bface80fd
affected

Default status
affected

4.14
affected

Any version before 4.14
unaffected

4.19.291 (semver)
unaffected

5.4.251 (semver)
unaffected

5.10.188 (semver)
unaffected

5.15.121 (semver)
unaffected

6.1.40 (semver)
unaffected

6.4.5 (semver)
unaffected

6.5 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/8803c59fde4dd370a627dfbf7183682fa0cabf70

git.kernel.org/...c/61b4c4659746959056450b92a5d7e6bc1243b31b

git.kernel.org/...c/d30ddd7ff15df9d91a793ce3f06f0190ff7afacc

git.kernel.org/...c/3fabca5d9cae0140b6aad09a1c6b9aa57089fbb8

git.kernel.org/...c/1462e9d9aa52d14665eaca6d89d22c4af44ede04

git.kernel.org/...c/aa657d319e6c7502a4eb85cc0ee80cc81b8e5724

git.kernel.org/...c/2aaa8a15de73874847d62eb595c6683bface80fd

cve.org (CVE-2023-53343)

nvd.nist.gov (CVE-2023-53343)

Download JSON