oss-sec mailing list archives
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack
From: Solar Designer <solar () openwall com>
Date: Mon, 2 Oct 2023 22:21:06 +0200
On Mon, Oct 02, 2023 at 12:53:20PM -0700, Kyle Zeng wrote:
when the skb is rerouted through ipvs, its skb->dev is NULL. Then the following `dev_net` call, which accesses `dev->nd_net`, becomes null pointer dereference.
When reporting issues like this, please always note the privileges
required for attack. For the example above, it appears to be
CAP_NET_ADMIN within the namespace:
static int
do_ip_vs_set_ctl(struct sock *sk, int cmd, sockptr_t ptr, unsigned int len)
{
[...]
if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
return -EPERM;
I guess other possibilities for triggering this issue (if any) have
similar requirements.
Thanks,
Alexander
Current thread:
- [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)