Description
In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it.
Product status
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before dfc96ae0074cc47b5478a59e5aa19233e434243f
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before 66117dbb3dbae82f86735bf727b1d59cc677afa1
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before ba7c9ddcdd077942b798979edb035207374d4096
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before a05a2149386f6dfb4245f522acdbef892acafc84
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before 9f036aa0fe46c19e938f03d10e02c23f4fffae5e
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before 003343985f26dfefd0c94b1fe1316a2de74428b9
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before 12aa4b73a67d95bc739995a2d6943aec2f9785c9
fd384412e199b62c3ddaabd18dce86d0e164c5b9 (git) before b3a6df291fecf5f8a308953b65ca72b7fc9e015d
3.18
Any version before 3.18
5.10.253 (semver)
5.15.203 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.20 (semver)
6.19.10 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/dfc96ae0074cc47b5478a59e5aa19233e434243f
git.kernel.org/...c/66117dbb3dbae82f86735bf727b1d59cc677afa1
git.kernel.org/...c/ba7c9ddcdd077942b798979edb035207374d4096
git.kernel.org/...c/a05a2149386f6dfb4245f522acdbef892acafc84
git.kernel.org/...c/9f036aa0fe46c19e938f03d10e02c23f4fffae5e
git.kernel.org/...c/003343985f26dfefd0c94b1fe1316a2de74428b9
git.kernel.org/...c/12aa4b73a67d95bc739995a2d6943aec2f9785c9
git.kernel.org/...c/b3a6df291fecf5f8a308953b65ca72b7fc9e015d