CVE-2026-23378

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: act_ife: Fix metalist update behavior<br /> <br /> Whenever an ife action replace changes the metalist, instead of<br /> replacing the old data on the metalist, the current ife code is appending<br /> the new metadata. Aside from being innapropriate behavior, this may lead<br /> to an unbounded addition of metadata to the metalist which might cause an<br /> out of bounds error when running the encode op:<br /> <br /> [ 138.423369][ C1] ==================================================================<br /> [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)<br /> [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255<br /> [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)<br /> [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011<br /> [ 138.425800][ C1] Call Trace:<br /> [ 138.425804][ C1] <br /> [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)<br /> [ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> [ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))<br /> [ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)<br /> [ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)<br /> [ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)<br /> [ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))<br /> [ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))<br /> [ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)<br /> [ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)<br /> [ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)<br /> [ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)<br /> [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))<br /> [ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)<br /> [ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)<br /> [ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)<br /> <br /> To solve this issue, fix the replace behavior by adding the metalist to<br /> the ife rcu data structure.