oss-sec mailing list archives
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack
From: Solar Designer <solar () openwall com>
Date: Mon, 2 Oct 2023 22:21:06 +0200
On Mon, Oct 02, 2023 at 12:53:20PM -0700, Kyle Zeng wrote:
when the skb is rerouted through ipvs, its skb->dev is NULL. Then the following `dev_net` call, which accesses `dev->nd_net`, becomes null pointer dereference.
When reporting issues like this, please always note the privileges required for attack. For the example above, it appears to be CAP_NET_ADMIN within the namespace: static int do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len) { [...] if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; I guess other possibilities for triggering this issue (if any) have similar requirements. Thanks, Alexander
Current thread:
- [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)