Description
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Product status
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before 571d9d7b650f02d1e38c01128817868bceac9edd
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before d783fa413c702ff0f8f8bea63f862e28eeaf39e3
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before b61529c357f1ee4d64836eb142a542d2e7ad67ce
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before 9647e99d2a617c355d2b378be0ff6d0e848fd579
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before d938dd5a0ad780c891ea3bc94cae7405f11e618a
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e (git) before 614aefe56af8e13331e50220c936fc0689cf5675
3.14
Any version before 3.14
5.10.253 (semver)
5.15.203 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.20 (semver)
6.19.10 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/571d9d7b650f02d1e38c01128817868bceac9edd
git.kernel.org/...c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
git.kernel.org/...c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
git.kernel.org/...c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
git.kernel.org/...c/9647e99d2a617c355d2b378be0ff6d0e848fd579
git.kernel.org/...c/d938dd5a0ad780c891ea3bc94cae7405f11e618a
git.kernel.org/...c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
git.kernel.org/...c/614aefe56af8e13331e50220c936fc0689cf5675