oss-sec mailing list archives

Re: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category

From: P J P <ppandit () redhat com>
Date: Tue, 12 May 2020 19:08:17 +0530 (IST)

+-- On Tue, 12 May 2020, P J P wrote --+
| NULL pointer dereference(s) issue(s) was found in the Linux kernel's SELinux 
| subsystem. It occurs while importing the Commercial IP Security Option 
| (CIPSO) protocol's category bitmap into SELinux's extensible bitmap via 
| 'ebitmap_netlbl_import' routine. While parsing the CIPSO restricted bitmap 
| tag in 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to 
| indicate that category bitmap is present, even if it has not been allocated. 
| This leads to the said NULL pointer dereference issue while importing the 
| same category bitmap into SELinux. A remote network user could use this flaw 
| to crash the system kernel resulting in DoS scenario.
|
| This issue was introduced by upstream commit:
|   -> https://git.kernel.org/linus/4b8feff251da3d7058b5779e21b33a85c686b974
|      netlabel: fix the horribly broken catmap functions

Upstream patch:
  -> https://lore.kernel.org/netdev/07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni () redhat com/T/#u

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

Current thread:

CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category P J P (May 12)
- Re: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category P J P (May 12)