In the Linux kernel, the following vulnerability has been resolved:
tipc: Check the bearer type before calling tipcudpnlbeareradd()
syzbot reported the following general protection fault [1]:
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipcudpisknownpeer+0x9c/0x250 net/tipc/udpmedia.c:291 ... Call Trace: <TASK> tipcudpnlbeareradd+0x212/0x2f0 net/tipc/udpmedia.c:646 tipcnlbeareradd+0x21e/0x360 net/tipc/bearer.c:1089 genlfamilyrcvmsgdoit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genlfamilyrcvmsg net/netlink/genetlink.c:1052 [inline] genlrcvmsg+0x561/0x800 net/netlink/genetlink.c:1067 netlinkrcvskb+0x16b/0x440 net/netlink/afnetlink.c:2544 genlrcv+0x28/0x40 net/netlink/genetlink.c:1076 netlinkunicastkernel net/netlink/afnetlink.c:1341 [inline] netlinkunicast+0x53b/0x810 net/netlink/afnetlink.c:1367 netlinksendmsg+0x8b7/0xd70 net/netlink/afnetlink.c:1909 socksendmsgnosec net/socket.c:730 [inline] socksendmsg+0xd5/0x180 net/socket.c:745 syssendmsg+0x6ac/0x940 net/socket.c:2584 _syssendmsg+0x135/0x1d0 net/socket.c:2638 _syssendmsg+0x117/0x1e0 net/socket.c:2667 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0x40/0x110 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x63/0x6b
The cause of this issue is that when tipcnlbeareradd() is called with the TIPCNLABEARERUDPOPTS attribute, tipcudpnlbearer_add() is called even if the bearer is not UDP.
tipcudpisknownpeer() called by tipcudpnlbeareradd() assumes that the mediaptr field of the tipcbearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers.
This patch fixes the issue by checking the bearer type before calling tipcudpnlbeareradd() in tipcnlbearer_add().