oss-sec mailing list archives
Re: CVE request: Linux panic on fragemented IPv6 traffic (icmp6_send)
From: <cve-assign () mitre org>
Date: Thu, 8 Dec 2016 12:19:17 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The linux kernel contains a bug where a fragmented IPv6 packet causes a panic after a timeout (seems to be roughly 60 seconds). This can be triggered remotely via the internet and results in a DoS (kernel panic).
https://bugzilla.kernel.org/show_bug.cgi?id=189851
unable to handle kernel NULL pointer dereference
Seems I can reliably crash said machines running 4.8.12-2 by sending them incomplete fragmented IPv6 packets. The kernel indeed has NET_L3_MASTER_DEV.
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2
the dst->dev should be preferred for determining the L3 domain if the dst has been set on the skb. Fallback to the skb->dev if it has not. This covers the case reported here where icmp6_send is invoked on Rx before the route lookup.
Use CVE-2016-9919. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYSZWMAAoJEHb/MwWLVhi2UAAQAKUTqLnsjpwqlBAxNh9rEexe ljitZUtj0WSTrYAY+EdPm6n5mDocVCw5IlB2wd8Fa/8z2kPigG/9oDafnWXJFKK1 hlqNZAep/GBGX9ISVxbLPFJ5jel8BWsZ3kwiAdj5t4GcuTDbwOkujvknHyhxBS6T kKBE/TVtafKcLUd+D6qzWyt0BaOz+ATKKrekrkRKkm7yEBaGIUHIekWZnK0tJ+sS 08sFKUxzfDCud//OepxNgxRDlecqlcK0PKNp9NNRgD/+D99JgLaxItMVVMkQrh5s 854jFifEhObQKeJLAUotfvSJjIoASXHrndyhwCw2C636vqsASE9KVItzmXV4MzSW 4+8Yqi/jLExwSe1z3Z4R6+zpQopok/ZmGJ9BPBODrU8bsCm/eFvA2eXRvXD/v2Oh /lFbDJf34P8FM8wvzFTc0tDJB5Lf2xZ2pjEUfEdM0hlryfKWIoaGDzcpKPGfewiN M3yHp3CcuKCX6pVxrmonA1goJTpddBqALUavwWtRRnF6ozUhKpWG6G2zhkVn9ZaT vwSSlsYw6BTYpMz1ZPF6rqeCowtdQDI/J6gM8OuQAq/aV/i0jmFv5ToB158dy5yc rq2wKEdUv6y0ZM7lWX5aleGlEfyMyIB/ZtTWy5wAvyfpwlv6X3/OSc/9eXxFB27M R2CpnZwv2wLfC6/R9czc =DVJY -----END PGP SIGNATURE-----
Current thread:
- CVE request: Linux panic on fragemented IPv6 traffic (icmp6_send) Florian Pritz (Dec 08)
- Re: CVE request: Linux panic on fragemented IPv6 traffic (icmp6_send) cve-assign (Dec 08)