ASA-2018-00066 – Linux kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable()


Allele Security Alert

ASA-2018-00066

Identifier(s)

ASA-2018-00066, CVE-2018-14646

Title

NULL pointer dereference in af_netlink.c:__netlink_ns_capable()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel version before 4.15-rc8

Introduced by commit:

rtnetlink: use netnsid to query interface
https://github.com/torvalds/linux/commit/79e1ad148c844f5c8b9d76b36b26e3886dca95ae

Fixed version(s)

Linux kernel version 4.15-rc8

Proof of concept

Unknown

Description

The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service.

Technical details

The function get_target_net() is used from two places: rtnl_dump_ifinfo() and rtnl_getlink(). In rtnl_getlink(), we give a request skb into get_target_net(), but in rtnl_dump_ifinfo, we give a response skb into get_target_net(). The problem here is that NETLINK_CB() isn’t initialized for the response skb.

Credits

Christian Brauner

Reference(s)

rtnetlink: give a user socket to get_target_net()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f428fe4a04cc339166c8bbd489789760de3a0cee

[PATCH v2] rtnetlink: give a user socket to get_target_net()
https://marc.info/?l=linux-netdev&m=151500466401174&w=2

Bug 1630124 – (CVE-2018-14646) CVE-2018-14646 kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable() allows for denial of service
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14646

rtnetlink: use netnsid to query interface
https://github.com/torvalds/linux/commit/79e1ad148c844f5c8b9d76b36b26e3886dca95ae

CVE-2018-14646 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-14646

CVE-2018-14646 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14646.html

CVE-2018-14646
https://security-tracker.debian.org/tracker/CVE-2018-14646

CVE-2018-14646 | SUSE
https://www.suse.com/security/cve/CVE-2018-14646

CVE-2018-14646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14646

CVE-2018-14646
https://nvd.nist.gov/vuln/detail/CVE-2018-14646

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.