CWE
476
Advisory Published
CVE Published
CVE Published
Updated

CVE-2023-3772: Kernel: xfrm: null pointer dereference in xfrm_update_ae_params()

First published: Fri Jun 30 2023(Updated: )

========== 1. Null-ptr-deref in xfrm_update_ae_params() ========== [require privilege]: CAP_NET_ADMIN [effects]: local DoS [crash stack]: [ 47.933119] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 47.933119] #PF: supervisor write access in kernel mode [ 47.933119] #PF: error_code(0x0002) - not-present page [ 47.933119] PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 [ 47.933119] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 47.933119] CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 [ 47.933119] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 [ 47.933119] RIP: 0010:memcpy_orig+0xad/0x140 [ 47.933119] Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c [ 47.933119] RSP: 0018:ffff888008f57658 EFLAGS: 00000202 [ 47.933119] RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 [ 47.933119] RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 [ 47.933119] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 47.933119] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 [ 47.933119] R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 [ 47.933119] FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 47.933119] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 47.933119] CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 [ 47.933119] Call Trace: [ 47.933119] <TASK> [ 47.933119] ? __die+0x1f/0x70 [ 47.933119] ? page_fault_oops+0x1e8/0x500 [ 47.933119] ? __pfx_is_prefetch.constprop.0+0x10/0x10 [ 47.933119] ? __pfx_page_fault_oops+0x10/0x10 [ 47.933119] ? _raw_spin_unlock_irqrestore+0x11/0x40 [ 47.933119] ? fixup_exception+0x36/0x460 [ 47.933119] ? _raw_spin_unlock_irqrestore+0x11/0x40 [ 47.933119] ? exc_page_fault+0x5e/0xc0 [ 47.933119] ? asm_exc_page_fault+0x26/0x30 [ 47.933119] ? xfrm_update_ae_params+0xd1/0x260 [ 47.933119] ? memcpy_orig+0xad/0x140 [ 47.933119] ? __pfx__raw_spin_lock_bh+0x10/0x10 [ 47.933119] xfrm_update_ae_params+0xe7/0x260 [ 47.933119] xfrm_new_ae+0x298/0x4e0 [ 47.933119] ? __pfx_xfrm_new_ae+0x10/0x10 [ 47.933119] xfrm_user_rcv_msg+0x25a/0x410 [ 47.933119] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 47.933119] ? __alloc_skb+0xcf/0x210 [ 47.933119] ? stack_trace_save+0x90/0xd0 [ 47.933119] ? filter_irq_stacks+0x1c/0x70 [ 47.933119] ? __stack_depot_save+0x39/0x4e0 [ 47.933119] ? __kasan_slab_free+0x10a/0x190 [ 47.933119] ? kmem_cache_free+0x9c/0x340 [ 47.933119] ? netlink_recvmsg+0x23c/0x660 [ 47.933119] ? sock_recvmsg+0xeb/0xf0 [ 47.933119] ? __sys_recvfrom+0x13c/0x1f0 [ 47.933119] ? __x64_sys_recvfrom+0x71/0x90 [ 47.933119] ? do_syscall_64+0x3f/0x90 [ 47.933119] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 47.933119] ? copyout+0x3e/0x50 [ 47.933119] netlink_rcv_skb+0xd6/0x210 [ 47.933119] ? __pfx_xfrm_user_rcv_msg+0x10/0x10 [ 47.933119] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 47.933119] ? __pfx_sock_has_perm+0x10/0x10 [ 47.933119] ? mutex_lock+0x8d/0xe0 [ 47.933119] ? __pfx_mutex_lock+0x10/0x10 [ 47.933119] xfrm_netlink_rcv+0x44/0x50 [ 47.933119] netlink_unicast+0x36f/0x4c0 [ 47.933119] ? __pfx_netlink_unicast+0x10/0x10 [ 47.933119] ? netlink_recvmsg+0x500/0x660 [ 47.933119] netlink_sendmsg+0x3b7/0x700 [ 47.933119] ? __pfx_netlink_sendmsg+0x10/0x10 [ 47.933119] ? update_load_avg+0x591/0xab0 [ 47.933119] ? __pfx_netlink_sendmsg+0x10/0x10 [ 47.933119] sock_sendmsg+0xde/0xe0 [ 47.933119] __sys_sendto+0x18d/0x230 [ 47.933119] ? __pfx___sys_sendto+0x10/0x10 [ 47.933119] ? rb_insert_color+0x1c0/0x280 [ 47.933119] ? timerqueue_add+0x128/0x150 [ 47.933119] ? ktime_get+0x49/0xb0 [ 47.933119] ? __pfx_native_apic_mem_write+0x10/0x10 [ 47.933119] ? lapic_next_event+0x35/0x40 [ 47.933119] ? clockevents_program_event+0xdf/0x140 [ 47.933119] ? hrtimer_interrupt+0x321/0x360 [ 47.933119] __x64_sys_sendto+0x71/0x90 [ 47.933119] do_syscall_64+0x3f/0x90 [ 47.933119] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 47.933119] RIP: 0033:0x44b8aa [ 47.933119] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 9 [ 47.933119] RSP: 002b:00007fff7ded8258 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 47.933119] RAX: ffffffffffffffda RBX: 00007fff7ded9688 RCX: 000000000044b8aa [ 47.933119] RDX: 00000000000002a8 RSI: 00007fff7ded8480 RDI: 0000000000000003 [ 47.933119] RBP: 00007fff7ded82c0 R08: 00007fff7ded829c R09: 000000000000000c [ 47.933119] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 47.933119] R13: 00007fff7ded9678 R14: 00000000004c37d0 R15: 0000000000000001 [ 47.933119] </TASK> [ 47.933119] Modules linked in: [ 47.933119] CR2: 0000000000000000 [ 47.933119] ---[ end trace 0000000000000000 ]--- [ 47.933119] RIP: 0010:memcpy_orig+0xad/0x140 [ 47.933119] Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c [ 47.933119] RSP: 0018:ffff888008f57658 EFLAGS: 00000202 [ 47.933119] RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 [ 47.933119] RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 [ 47.933119] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 47.933119] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 [ 47.933119] R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 [ 47.933119] FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 47.933119] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 47.933119] CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 [ 47.933119] Kernel panic - not syncing: Fatal exception in interrupt [ 47.933119] Kernel Offset: disabled [ 47.933119] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- [buggy commit]: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows") [root cause]: x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(..), and then the xfrm_update_ae_params(...) is okay to update them. However, the current implementation allows a malicious user to directly dereference the pointer and crash the kernel like above. [PoC code]: see attachment poc1.c. I have tested it in ubuntu 22.04 and latest Linux with QEMU. [suggest fix]: Add NULL check in xfrm_update_ae_params() like below: @@ -628,7 +628,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs, struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH]; struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH]; - if (re) { + if (re && x->replay_esn && x->preplay_esn) { struct xfrm_replay_state_esn *replay_esn;

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=9.0
Fedoraproject Fedora
Linux Linux kernel
IBM QRadar SIEM<=7.5 - 7.5.0 UP8 IF01
Redhat Enterprise Linux For Real Time=8.0
Redhat Enterprise Linux For Real Time For Nfv=8.0
Debian Debian Linux=10.0
Debian Debian Linux=12.0
debian/linux
5.10.223-1
5.10.226-1
6.1.115-1
6.1.112-1
6.11.7-1
6.11.9-1

Remedy

If not needed, disable the ability for unprivileged users to create namespaces. To do this temporarily, do: sudo sysctl -w kernel.unprivileged_userns_clone=0 To disable across reboots, do: echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203