Description
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix a potential NPD in cleanup_prefix_route() addrconf_get_prefix_route() can return the fib6_null_entry sentinel entry which has a NULL fib6_table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1]. Note that the other callers of addrconf_get_prefix_route() are not susceptible to this bug: 1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF | RTF_PREFIX_RT' flags which are not set on fib6_null_entry. 2. modify_prefix_route(): Fixed by commit a747e02430df ("ipv6: avoid possible NULL deref in modify_prefix_route()"). 3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for fib6_null_entry and returns an error. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [...] Call Trace: <TASK> __kasan_check_byte (mm/kasan/common.c:573) lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) _raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanup_prefix_route (net/ipv6/addrconf.c:1280) ipv6_del_addr (net/ipv6/addrconf.c:1342) inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119) inet6_rtm_deladdr (net/ipv6/addrconf.c:4812) rtnetlink_rcv_msg (net/core/rtnetlink.c:6997) netlink_rcv_skb (net/netlink/af_netlink.c:2555) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __sys_sendmsg (net/socket.c:2784) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Product status
bd12abe294c7738421bdfbc486f1909d02db30e9 (git) before 5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2
5eb902b8e7193cdcb33242af0a56502e6b5206e9 (git) before 192df376a05c2db15564640f9da7e20907c1fa24
5eb902b8e7193cdcb33242af0a56502e6b5206e9 (git) before 07d9a0870a178843cea44cfd58c27445dc94cf5f
5eb902b8e7193cdcb33242af0a56502e6b5206e9 (git) before 653a2849305708f75260b5296f17b2a759ff9cc7
5eb902b8e7193cdcb33242af0a56502e6b5206e9 (git) before b70c687b7cf267fb08586667a3946c8851cad672
6.6.120 (semver) before 6.6.143
6.9
Any version before 6.9
6.6.143 (semver)
6.12.94 (semver)
6.18.36 (semver)
7.0.13 (semver)
7.1 (original_commit_for_fix)
References
git.kernel.org/...c/5f82b02b4059ddc06e4fcfd057bfb59fd6885cd2
git.kernel.org/...c/192df376a05c2db15564640f9da7e20907c1fa24
git.kernel.org/...c/07d9a0870a178843cea44cfd58c27445dc94cf5f
git.kernel.org/...c/653a2849305708f75260b5296f17b2a759ff9cc7
git.kernel.org/...c/b70c687b7cf267fb08586667a3946c8851cad672