CVE-2021-47572

In the Linux kernel, the following vulnerability has been resolved:

net: nexthop: fix null pointer dereference when IPv6 is not enabled

When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIGIPV6) we'll hit a NULL pointer dereference[1] in the error path of nhcreateipv6() due to calling ipv6stub->fib6nhrelease. The bug has been present since the beginning of IPv6 nexthop gateway support. Commit 1aefd3de7bc6 ("ipv6: Add fib6nhinit and release to stubs") tells us that only fib6nhinit has a dummy stub because fib6nhrelease should not be called if fib6nhinit returns an error, but the commit below added a call to ipv6stub->fib6nhrelease in its error path. To fix it return the dummy stub's -EAFNOSUPPORT error directly without calling ipv6stub->fib6nhrelease in nhcreateipv6()'s error path.

[1] Output is a bit truncated, but it clearly shows the error. BUG: kernel NULL pointer dereference, address: 000000000000000000 #PF: supervisor instruction fetch in kernel modede #PF: errorcode(0x0010) - not-present pagege PGD 0 P4D 0 Oops: 0010 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 638 Comm: ip Kdump: loaded Not tainted 5.16.0-rc1+ #446 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888109f5b8f0 EFLAGS: 00010286^Ac RAX: 0000000000000000 RBX: ffff888109f5ba28 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8881008a2860 RBP: ffff888109f5b9d8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff888109f5b978 R11: ffff888109f5b948 R12: 00000000ffffff9f R13: ffff8881008a2a80 R14: ffff8881008a2860 R15: ffff8881008a2840 FS: 00007f98de70f100(0000) GS:ffff88822bf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000100efc000 CR4: 00000000000006e0 Call Trace: <TASK> nhcreateipv6+0xed/0x10c rtmnewnexthop+0x6d7/0x13f3 ? checkpreemptiondisabled+0x3d/0xf2 ? lockisheldtype+0xbe/0xfd rtnetlinkrcvmsg+0x23f/0x26a ? checkpreemptiondisabled+0x3d/0xf2 ? rtnlcalcit.isra.0+0x147/0x147 netlinkrcvskb+0x61/0xb2 netlinkunicast+0x100/0x187 netlinksendmsg+0x37f/0x3a0 ? netlinkunicast+0x187/0x187 socksendmsgnosec+0x67/0x9b _syssendmsg+0x19d/0x1f9 ? copymsghdrfromuser+0x4c/0x5e ? rcureadlockanyheld+0x2a/0x78 _syssendmsg+0x6c/0x8c ? asmsysvecapictimerinterrupt+0x12/0x20 ? lockdephardirqson+0xd9/0x102 ? sockfdlookuplight+0x69/0x99 _syssendmsg+0x50/0x6e dosyscall64+0xcb/0xf2 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f98dea28914 Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 e9 5d 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53 RSP: 002b:00007fff859f5e68 EFLAGS: 00000246 ORIGRAX: 000000000000002e2e RAX: ffffffffffffffda RBX: 00000000619cb810 RCX: 00007f98dea28914 RDX: 0000000000000000 RSI: 00007fff859f5ed0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000008 R10: fffffffffffffce6 R11: 0000000000000246 R12: 0000000000000001 R13: 000055c0097ae520 R14: 000055c0097957fd R15: 00007fff859f63a0 </TASK> Modules linked in: bridge stp llc bonding virtionet