CVE Request: Linux: NULL pointer dereference netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function

[Salvatore Bonaccorso <carnil () debian org>]

Hi

> From https://bugzilla.redhat.com/show_bug.cgi?id=1300731 
> Kernel NULL pointer dereference vulnerability was found in
> netfilter/nf_nat_redirect.c in nf_nat_redirect_ipv4 function introduced by
> commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
> redirect IPv4 to use it from nf_tables").
>
> Vulnerable code:
>
> unsigned int
> nf_nat_redirect_ipv4(struct sk_buff *skb,
> ...
> {
> ...
>               rcu_read_lock();
>               indev = __in_dev_get_rcu(skb->dev);
>               if (indev != NULL) {
>                       ifa = indev->ifa_list;
>                       newdst = ifa->ifa_local; <---
>               }
>               rcu_read_unlock();
> ...
> }
>
> 'ifa' is not checked before access and can be accessed even if it's NULL.
> Crash might happen when packets that need to be redirected somehow arrive on an
>  interface which hasn't been yet fully configured.
>
> Patch and crash report:
>
> https://lkml.org/lkml/2015/12/2/618

This was introduced in:
https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1)

Fixed by:
https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1)

Can you assign a CVE to track this issue?

Regards,
Salvatore