[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel: CVE-2022-1516: NULL pointer dereference in Linux kernel`s X.25 network 
From:       duoming () zju ! edu ! cn
Date:       2022-06-19 14:48:04
Message-ID: 5953bcb8.7a23f.1817c6f6683.Coremail.duoming () zju ! edu ! cn
[Download RAW message or body]

Hello there,

A NULL pointer dereference flaw was found in the Linux kernel's X.25 set of
standardized network protocols functionality in the way a user terminates 
their session using a simulated Ethernet card and continued usage of this 
connection.

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=

When the link layer is terminating, x25->neighbour will be set to NULL
in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in
x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is
shown below.

    (Thread 1)                 |  (Thread 2)
x25_link_terminated()          | x25_recvmsg()
 x25_kill_by_neigh()           |  ...
  x25_disconnect()             |  lock_sock(sk)
   ...                         |  ...
   x25->neighbour = NULL //(1) |
   ...                         |  x25->neighbour->extended //(2)

The code sets NULL to x25->neighbour in position (1) and dereferences
x25->neighbour in position (2), which could cause null-ptr-deref bug.

=*=*=*=*=*=*=*=*=  Bug Effects  =*=*=*=*=*=*=*=*=

This flaw allows a local user to crash the system.

=*=*=*=*=*=*=*=*=  Bug Fix  =*=*=*=*=*=*=*=*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/7781607938c8371d4c2b243527430241c62e39c2

=*=*=*=*=*=*=*=*=  Timeline  =*=*=*=*=*=*=*=*=

2022-03-26: commit 7781607938c8 accepted to mainline kernel
2022-03-26: CVE-2022-1516 is assigned

=*=*=*=*=*=*=*=*=  Credit  =*=*=*=*=*=*=*=*=

Duoming Zhou <duoming@zju.edu.cn>

Best Regards,
Duoming Zhou
[prev in list] [next in list] [prev in thread] [next in thread]