xorl %eax, %eax

CVE-2011-1748: Linux kernel CAN/RAW Socket NULL Pointer Dereference

leave a comment »

This is identical to CVE-2011-1598 but it was reported by Oliver Hartkopp and the buggy code is part of net/can/raw.c source code file shown below.

static int raw_release(struct socket *sock)
{
        struct sock *sk = sock->sk;
        struct raw_sock *ro = raw_sk(sk);

        unregister_netdevice_notifier(&ro->notifier);

        lock_sock(sk);

        /* remove current filters & unregister */
        if (ro->bound) {
  ...
        return 0;
}

The ‘sock->sk’ can be NULL and thus, any access to ‘ro’ will result in a NULL pointer dereference. For completeness, here is the raw_sk() inline function as seen at include/net/raw.h header file.

static inline struct raw_sock *raw_sk(const struct sock *sk)
{
        return (struct raw_sock *)sk;
}

The patch was to include the missing check.

 	struct sock *sk = sock->sk;
-	struct raw_sock *ro = raw_sk(sk);
+	struct raw_sock *ro;
+
+	if (!sk)
+		return 0;
+
+	ro = raw_sk(sk);

 	unregister_netdevice_notifier(&ro->notifier);

Written by xorl

April 28, 2011 at 19:47

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s