[linux] 01/01: netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Jan 27 18:25:55 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit b1fa3fac8877ebad414c2829a02676aebdd06ae2
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Jan 27 19:24:21 2016 +0100

    netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
---
 debian/changelog                                   |  1 +
 ...f_nat_redirect-add-missing-NULL-pointer-c.patch | 81 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 83 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7fc7228..b529baa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -57,6 +57,7 @@ linux (4.3.4-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * tcp: fix zero cwnd in tcp_cwnd_reduction (CVE-2016-2070)
+  * netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 23 Jan 2016 11:51:46 +0000
 
diff --git a/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch b/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
new file mode 100644
index 0000000..fd17d1e
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
@@ -0,0 +1,81 @@
+From: Munehisa Kamata <kamatam at amazon.com>
+Date: Mon, 26 Oct 2015 19:10:52 -0700
+Subject: netfilter: nf_nat_redirect: add missing NULL pointer check
+Origin: https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc
+
+Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT
+redirect IPv4 to use it from nf_tables") has introduced a trivial logic
+change which can result in the following crash.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
+PGD 3ba662067 PUD 3ba661067 PMD 0
+Oops: 0000 [#1] SMP
+Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
+CPU: 0 PID: 2536 Comm: ip Tainted: G            E   4.1.7-15.23.amzn1.x86_64 #1
+Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
+task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
+ [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
+ [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
+ [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
+ [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
+ [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
+ [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
+ [<ffffffff81449137>] nf_iterate+0x57/0x80
+ [<ffffffff814491f7>] nf_hook_slow+0x97/0x100
+ [<ffffffff814504d4>] ip_rcv+0x314/0x400
+
+unsigned int
+nf_nat_redirect_ipv4(struct sk_buff *skb,
+...
+{
+...
+		rcu_read_lock();
+		indev = __in_dev_get_rcu(skb->dev);
+		if (indev != NULL) {
+			ifa = indev->ifa_list;
+			newdst = ifa->ifa_local; <---
+		}
+		rcu_read_unlock();
+...
+}
+
+Before the commit, 'ifa' had been always checked before access. After the
+commit, however, it could be accessed even if it's NULL. Interestingly,
+this was once fixed in 2003.
+
+http://marc.info/?l=netfilter-devel&m=106668497403047&w=2
+
+In addition to the original one, we have seen the crash when packets that
+need to be redirected somehow arrive on an interface which hasn't been
+yet fully configured.
+
+This change just reverts the logic to the old behavior to avoid the crash.
+
+Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
+Signed-off-by: Munehisa Kamata <kamatam at amazon.com>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nf_nat_redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
+index 97b75f9..d438698 100644
+--- a/net/netfilter/nf_nat_redirect.c
++++ b/net/netfilter/nf_nat_redirect.c
+@@ -55,7 +55,7 @@ nf_nat_redirect_ipv4(struct sk_buff *skb,
+ 
+ 		rcu_read_lock();
+ 		indev = __in_dev_get_rcu(skb->dev);
+-		if (indev != NULL) {
++		if (indev && indev->ifa_list) {
+ 			ifa = indev->ifa_list;
+ 			newdst = ifa->ifa_local;
+ 		}
+-- 
+2.7.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 3e8a2fb..a202989 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -143,3 +143,4 @@ bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
 bugfix/all/fuse-break-infinite-loop-in-fuse_fill_write_pages.patch
 bugfix/all/tcp-fix-zero-cwnd-in-tcp_cwnd_reduction.patch
 bugfix/all/scsi-fix-crashes-in-sd-and-sr-runtime-pm.patch
+bugfix/all/netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list