Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]calipso: Don't call calipso functions for AF_INET sk.[EOL][EOL]syzkaller reported a null-ptr-deref in txopt_get(). [0][EOL][EOL]The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,[EOL]so struct ipv6_pinfo was NULL there.[EOL][EOL]However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6[EOL]is always set in inet6_create(), meaning the socket was not IPv6 one.[EOL][EOL]The root cause is missing validation in netlbl_conn_setattr().[EOL][EOL]netlbl_conn_setattr() switches branches based on struct[EOL]sockaddr.sa_family, which is passed from userspace.  However,[EOL]netlbl_conn_setattr() does not check if the address family matches[EOL]the socket.[EOL][EOL]The syzkaller must have called connect() for an IPv6 address on[EOL]an IPv4 socket.[EOL][EOL]We have a proper validation in tcp_v[46]_connect(), but[EOL]security_socket_connect() is called in the earlier stage.[EOL][EOL]Let's copy the validation to netlbl_conn_setattr().[EOL][EOL][0]:[EOL]Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI[EOL]KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077][EOL]CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014[EOL]RIP: 0010:txopt_get include/net/ipv6.h:390 [inline][EOL]RIP: 0010:[EOL]Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00[EOL]RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212[EOL]RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c[EOL]RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070[EOL]RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e[EOL]R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00[EOL]R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80[EOL]FS:  00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000[EOL]CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0[EOL]PKRU: 80000000[EOL]Call Trace:[EOL] <TASK>[EOL] calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557[EOL] netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177[EOL] selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569[EOL] selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline][EOL] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615[EOL] selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931[EOL] security_socket_connect+0x50/0xa0 security/security.c:4598[EOL] __sys_connect_file+0xa4/0x190 net/socket.c:2067[EOL] __sys_connect+0x12c/0x170 net/socket.c:2088[EOL] __do_sys_connect net/socket.c:2098 [inline][EOL] __se_sys_connect net/socket.c:2095 [inline][EOL] __x64_sys_connect+0x73/0xb0 net/socket.c:2095[EOL] do_syscall_x64 arch/x86/entry/common.c:52 [inline][EOL] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]RIP: 0033:0x7f901b61a12d[EOL]Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48[EOL]RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a[EOL]RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d[EOL]RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003[EOL]RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000[EOL]R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000[EOL]R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000[EOL] </TASK>[EOL]Modules linked in:

CREATE(Triage):(User=lchen-cn) [CVE-2025-38147 (https://nvd.nist.gov/vuln/detail/CVE-2025-38147)