Home

CVE-2023-53821

Description

In the Linux kernel, the following vulnerability has been resolved:ip6_vti: fix slab-use-after-free in decode_session6When ipv6_vti device is set to the qdisc of the sfb type, the cb fieldof the sent skb may be modified during enqueuing. Then,slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.The stack information is as follows:BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014Call Trace:dump_stack_lvl+0xd9/0x150print_address_description.constprop.0+0x2c/0x3c0kasan_report+0x11d/0x130decode_session6+0x103f/0x1890__xfrm_decode_session+0x54/0xb0vti6_tnl_xmit+0x3e6/0x1ee0dev_hard_start_xmit+0x187/0x700sch_direct_xmit+0x1a3/0xc30__qdisc_run+0x510/0x17a0__dev_queue_xmit+0x2215/0x3b10neigh_connected_output+0x3c2/0x550ip6_finish_output2+0x55a/0x1550ip6_finish_output+0x6b9/0x1270ip6_output+0x1f1/0x540ndisc_send_skb+0xa63/0x1890ndisc_send_rs+0x132/0x6f0addrconf_rs_timer+0x3f1/0x870call_timer_fn+0x1a0/0x580expire_timers+0x29b/0x4b0run_timer_softirq+0x326/0x910__do_softirq+0x1d4/0x905irq_exit_rcu+0xb7/0x120sysvec_apic_timer_interrupt+0x97/0xc0Allocated by task 9176:kasan_save_stack+0x22/0x40kasan_set_track+0x25/0x30__kasan_slab_alloc+0x7f/0x90kmem_cache_alloc_node+0x1cd/0x410kmalloc_reserve+0x165/0x270__alloc_skb+0x129/0x330netlink_sendmsg+0x9b1/0xe30sock_sendmsg+0xde/0x190____sys_sendmsg+0x739/0x920___sys_sendmsg+0x110/0x1b0__sys_sendmsg+0xf7/0x1c0do_syscall_64+0x39/0xb0entry_SYSCALL_64_after_hwframe+0x63/0xcdFreed by task 9176:kasan_save_stack+0x22/0x40kasan_set_track+0x25/0x30kasan_save_free_info+0x2b/0x40____kasan_slab_free+0x160/0x1c0slab_free_freelist_hook+0x11b/0x220kmem_cache_free+0xf0/0x490skb_free_head+0x17f/0x1b0skb_release_data+0x59c/0x850consume_skb+0xd2/0x170netlink_unicast+0x54f/0x7f0netlink_sendmsg+0x926/0xe30sock_sendmsg+0xde/0x190____sys_sendmsg+0x739/0x920___sys_sendmsg+0x110/0x1b0__sys_sendmsg+0xf7/0x1c0do_syscall_64+0x39/0xb0entry_SYSCALL_64_after_hwframe+0x63/0xcdThe buggy address belongs to the object at ffff88802e08ed00which belongs to the cache skbuff_small_head of size 640The buggy address is located 194 bytes inside offreed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)As commit f855691975bb (xfrm6: Fix the nexthdr offset in_decode_session6.) showed, xfrm_decode_session was originally intendedonly for the receive path. IP6CB(skb)->nhoff is not set duringtransmission. Therefore, set the cb field in the skb to 0 beforesending packets.

Risk Information

Base Score
7.0
MODERATE
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.036

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234