In the Linux kernel, the following vulnerability has been resolved:

icmp6: Fix null-ptr-deref of ip6 null entry->rt6i idev in icmp6 dev().

With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that

has the link-local address as src and dst IP and will be forwarded to

an external IP in the IPv6 Ext Hdr.

For example, the script below generates a packet whose src IP is the

link-local address and dst is updated to 11::.

# for f in $(find /proc/sys/net/ -name *seg6 enabled*); do echo 1 > $f; done

# python3

>>> from socket import *

>>> from scapy.all import *

>>>

>>> SRC ADDR = DST ADDR = "fe80::5054:ff:fe12:3456"

>>>

>>> pkt = IPv6(src=SRC ADDR, dst=DST ADDR)

>>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)

>>>

>>> sk = socket(AF INET6, SOCK RAW, IPPROTO RAW)

>>> sk.sendto(bytes(pkt), (DST ADDR, 0))

For such a packet, we call ip6 route input() to look up a route for the

next destination in these three functions depending on the header type.

* ipv6 rthdr rcv()

* ipv6 rpl srh rcv()

* ipv6 srh rcv()

If no route is found, ip6 null entry is set to skb, and the following

dst input(skb) calls ip6 pkt drop().

Finally, in icmp6 dev(), we dereference skb rt6 info(skb)->rt6i idev->dev

as the input device is the loopback interface. Then, we have to check if

skb rt6 info(skb)->rt6i idev is NULL or not to avoid NULL pointer deref

for ip6 null entry.

BUG: kernel NULL pointer dereference, address: 0000000000000000

PF: supervisor read access in kernel mode

PF: error code(0x0000) - not-present page

PGD 0 P4D 0

Oops: 0000 [#1] PREEMPT SMP PTI

CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

RIP: 0010:icmp6 send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)

Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01

RSP: 0018:ffffc90000003c70 EFLAGS: 00000286

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0

RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18

RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001

R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10

R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0

FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0

PKRU: 55555554

Call Trace:

<IRQ>

ip6 pkt drop (net/ipv6/route.c:4513)

ipv6 rthdr rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)

ip6 protocol deliver rcu (net/ipv6/ip6 input.c:437 (discriminator 5))

ip6 input finish (./include/linux/rcupdate.h:781 net/ipv6/ip6 input.c:483)

netif receive skb one core (net/core/dev.c:5455)

process backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)

napi poll (net/core/dev.c:6460)

net rx action (net/core/dev.c:6529 net/core/dev.c:6660)

do softirq (./arch/x86/include/asm/jump label.h:27 ./include/linux/jump label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)

do softirq (kernel/softirq.c:454 kernel/softirq.c:441)

</IRQ>

<TASK>

local bh enable ip (kernel/softirq.c:381)

dev queue xmit (net/core/dev.c:4231)

ip6 finish output2 (./include/net/neighbour.h:544 net/ipv6/ip6 output.c:135)

rawv6 sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)

sock sendmsg (net/socket.c:725 net/socket.c:748)

sys sendto (net/socket.c:2134)

x64 sys sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)

do syscall 64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)

entry SYSCALL 64 after hwframe (arch/x86/entry/entry 64.S:120)

RIP: 0033:0x7f9dc751baea

Code: d8 64 89 02 48 c7 c0 ff f

---truncated---