The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirect.c in the Linux kernel before 4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by sending certain IPv4 packets to an incompletely configured interface, a related issue to CVE-2003-1604.

author

Munehisa Kamata <kamatam@amazon.com>

2015-10-26 19:10:52 -0700

committer

Pablo Neira Ayuso <pablo@netfilter.org>

2015-10-27 06:54:56 +0100

commit

94f9cd81436c85d8c3a318ba92e236ede73752fc (patch)

tree

9b7a2afcef9b46e41c823a14e66cf7b965b7a72f

parent

45efccdbec3cd465c4776ed9ca1d7b1bba1b7e34 (diff)

download

linux-94f9cd81436c85d8c3a318ba92e236ede73752fc.tar.gz  

netfilter: nf\_nat\_redirect: add missing NULL pointer check

Commit 8b13eddfdf04cbfa561725cfc42d6868fe896f56 ("netfilter: refactor NAT redirect IPv4 to use it from nf\_tables") has introduced a trivial logic change which can result in the following crash. BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 IP: \[<ffffffffa033002d>\] nf\_nat\_redirect\_ipv4+0x2d/0xa0 \[nf\_nat\_redirect\] PGD 3ba662067 PUD 3ba661067 PMD 0 Oops: 0000 \[#1\] SMP Modules linked in: ipv6(E) xt\_REDIRECT(E) nf\_nat\_redirect(E) xt\_tcpudp(E) iptable\_nat(E) nf\_conntrack\_ipv4(E) nf\_defrag\_ipv4(E) nf\_nat\_ipv4(E) nf\_nat(E) nf\_conntrack(E) ip\_tables(E) x\_tables(E) binfmt\_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c\_piix4(E) i2c\_core(E) acpi\_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm\_mirror(E) dm\_region\_hash(E) dm\_log(E) dm\_mod(E) CPU: 0 PID: 2536 Comm: ip Tainted: G E 4.1.7-15.23.amzn1.x86\_64 #1 Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015 task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000 \[...\] Call Trace: <IRQ> \[<ffffffffa0334065>\] redirect\_tg4+0x15/0x20 \[xt\_REDIRECT\] \[<ffffffffa02e2e99>\] ipt\_do\_table+0x2b9/0x5e1 \[ip\_tables\] \[<ffffffffa0328045>\] iptable\_nat\_do\_chain+0x25/0x30 \[iptable\_nat\] \[<ffffffffa031777d>\] nf\_nat\_ipv4\_fn+0x13d/0x1f0 \[nf\_nat\_ipv4\] \[<ffffffffa0328020>\] ? iptable\_nat\_ipv4\_fn+0x20/0x20 \[iptable\_nat\] \[<ffffffffa031785e>\] nf\_nat\_ipv4\_in+0x2e/0x90 \[nf\_nat\_ipv4\] \[<ffffffffa03280a5>\] iptable\_nat\_ipv4\_in+0x15/0x20 \[iptable\_nat\] \[<ffffffff81449137>\] nf\_iterate+0x57/0x80 \[<ffffffff814491f7>\] nf\_hook\_slow+0x97/0x100 \[<ffffffff814504d4>\] ip\_rcv+0x314/0x400 unsigned int nf\_nat\_redirect\_ipv4(struct sk\_buff \*skb, ... { ... rcu\_read\_lock(); indev = \_\_in\_dev\_get\_rcu(skb->dev); if (indev != NULL) { ifa = indev->ifa\_list; newdst = ifa->ifa\_local; <--- } rcu\_read\_unlock(); ... } Before the commit, 'ifa' had been always checked before access. After the commit, however, it could be accessed even if it's NULL. Interestingly, this was once fixed in 2003. http://marc.info/?l=netfilter-devel&m=106668497403047&w=2 In addition to the original one, we have seen the crash when packets that need to be redirected somehow arrive on an interface which hasn't been yet fully configured. This change just reverts the logic to the old behavior to avoid the crash. Fixes: 8b13eddfdf04 ("netfilter: refactor NAT redirect IPv4 to use it from nf\_tables") Signed-off-by: Munehisa Kamata <kamatam@amazon.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

\-rw-r--r--

net/netfilter/nf\_nat\_redirect.c

2

1 files changed, 1 insertions, 1 deletions

diff --git a/net/netfilter/nf\_nat\_redirect.c b/net/netfilter/nf\_nat\_redirect.c  
index 97b75f9bfbcd68..d43869879fcfce 100644  
\--- a/net/netfilter/nf\_nat\_redirect.c  
+++ b/net/netfilter/nf\_nat\_redirect.c

@@ -55,7 +55,7 @@ nf\_nat\_redirect\_ipv4(struct sk\_buff \*skb,

rcu\_read\_lock();

indev = \_\_in\_dev\_get\_rcu(skb->dev);

\- if (indev != NULL) {

\+ if (indev && indev->ifa\_list) {

ifa = indev->ifa\_list;

newdst = ifa->ifa\_local;

}

CVE-2015-8787: git/torvalds/linux.git - Linux kernel source tree

Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.

CVE-2015-4879: Oracle Critical Patch Update Advisory - October 2015

Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.

CVE-2015-4734: Oracle Critical Patch Update Advisory - October 2015

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

Tag

#amazon