| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052148-CVE-2021-47397-1b56@gregkh> Date: Tue, 21 May 2024 17:04:14 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2021-47397: sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Description =========== In the Linux kernel, the following vulnerability has been resolved: sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb We should always check if skb_header_pointer's return is NULL before using it, otherwise it may cause null-ptr-deref, as syzbot reported: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 Call Trace: <IRQ> sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 The Linux kernel CVE team has assigned CVE-2021-47397 to this issue. Affected and fixed versions =========================== Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 4.14.249 with commit 77bc7dcf0fcc Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 4.19.209 with commit 8c630a7b4f9d Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 5.4.151 with commit ec018021cf44 Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 5.10.71 with commit 9c6591ae8e63 Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 5.14.10 with commit 8180611c238e Issue introduced in 4.8 with commit 3acb50c18d8d and fixed in 5.15 with commit f7e745f8e944 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47397 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sctp/input.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/77bc7dcf0fcc1519341a91788d7a2914fcfddf6d https://git.kernel.org/stable/c/8c630a7b4f9dec63f08bd881ab77984a724a5124 https://git.kernel.org/stable/c/ec018021cf445abbe8e2f3e2a7f1dcc813cb8ea1 https://git.kernel.org/stable/c/9c6591ae8e63f93c895ad5e2703c36c548aac997 https://git.kernel.org/stable/c/8180611c238e11676612eb2a9828b1c7a3a4d77b https://git.kernel.org/stable/c/f7e745f8e94492a8ac0b0a26e25f2b19d342918f
Powered by blists - more mailing lists