Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().[EOL][EOL]syzkaller reported a null-ptr-deref in sock_omalloc() while allocating[EOL]a CALIPSO option.  [0][EOL][EOL]The NULL is of struct sock, which was fetched by sk_to_full_sk() in[EOL]calipso_req_setattr().[EOL][EOL]Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"),[EOL]reqsk->rsk_listener could be NULL when SYN Cookie is returned to its[EOL]client, as hinted by the leading SYN Cookie log.[EOL][EOL]Here are 3 options to fix the bug:[EOL][EOL]  1) Return 0 in calipso_req_setattr()[EOL]  2) Return an error in calipso_req_setattr()[EOL]  3) Alaways set rsk_listener[EOL][EOL]1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie[EOL]for CALIPSO.  3) is also no go as there have been many efforts to reduce[EOL]atomic ops and make TCP robust against DDoS.  See also commit 3b24d854cb35[EOL]("tcp/dccp: do not touch listener sk_refcnt under synflood").[EOL][EOL]As of the blamed commit, SYN Cookie already did not need refcounting,[EOL]and no one has stumbled on the bug for 9 years, so no CALIPSO user will[EOL]care about SYN Cookie.[EOL][EOL]Let's return an error in calipso_req_setattr() and calipso_req_delattr()[EOL]in the SYN Cookie case.[EOL][EOL]This can be reproduced by [1] on Fedora and now connect() of nc times out.[EOL][EOL][0]:[EOL]TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies.[EOL]Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI[EOL]KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037][EOL]CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[EOL]RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline][EOL]RIP: 0010:sock_net include/net/sock.h:655 [inline][EOL]RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806[EOL]Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b[EOL]RSP: 0018:ffff88811af89038 EFLAGS: 00010216[EOL]RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400[EOL]RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030[EOL]RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e[EOL]R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000[EOL]R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050[EOL]FS:  00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000[EOL]CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0[EOL]PKRU: 80000000[EOL]Call Trace:[EOL] <IRQ>[EOL] ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288[EOL] calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204[EOL] calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597[EOL] netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249[EOL] selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342[EOL] selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551[EOL] security_inet_conn_request+0x50/0xa0 security/security.c:4945[EOL] tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825[EOL] tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275[EOL] tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328[EOL] tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781[EOL] tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667[EOL] tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904[EOL] ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436[EOL] ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480[EOL] NF_HOOK include/linux/netfilter.h:314 [inline][EOL] NF_HOOK include/linux/netfilter.h:308 [inline][EOL] ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491[EOL] dst_input include/net/dst.h:469 [inline][EOL] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline][EOL] ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69[EOL] NF_HOOK include/linux/netfilter.h:314 [inline][EOL] NF_HOOK include/linux/netf[EOL]---truncated---

CREATE(Triage):(User=admin) [CVE-2025-38181 (https://nvd.nist.gov/vuln/detail/CVE-2025-38181)