Vulnerabilidad en Linux (CVE-2026-23273)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:<br /> <br /> macvlan: observar un período de gracia RCU en la ruta de error de macvlan_common_newlink()<br /> <br /> valis informó que una condición de carrera todavía ocurre después de mi parche anterior.<br /> <br /> macvlan_common_newlink() podría haber hecho visible a @dev antes de detectar un error, y su llamador llamará directamente a free_netdev(dev).<br /> <br /> Debemos respetar un período RCU, ya sea en macvlan o en la pila de red central.<br /> <br /> Después de añadir un mdelay(1000) temporal en macvlan_forward_source_one() para abrir la ventana de carrera, la reproducción de valis fue:<br /> <br /> ip link add p1 type veth peer p2<br /> ip link set address 00:00:00:00:00:20 dev p1<br /> ip link set up dev p1<br /> ip link set up dev p2<br /> ip link add mv0 link p2 type macvlan mode source<br /> <br /> (ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &amp;amp;) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4<br /> PING 1.2.3.4 (1.2.3.4): 56 data bytes<br /> RTNETLINK answers: Invalid argument<br /> <br /> BUG: KASAN: slab-uso después de liberación en macvlan_forward_source<br /> (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> Read of size 8 at addr ffff888016bb89c0 by task e/175<br /> <br /> CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:123)<br /> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)<br /> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> kasan_report (mm/kasan/report.c:597)<br /> ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)<br /> ? tasklet_init (kernel/softirq.c:983)<br /> macvlan_handle_frame (drivers/net/macvlan.c:501)<br /> <br /> Allocated by task 169:<br /> kasan_save_stack (mm/kasan/common.c:58)<br /> kasan_save_track (./arch/x86/include/asm/current.h:25<br /> mm/kasan/common.c:70 mm/kasan/common.c:79)<br /> __kasan_kmalloc (mm/kasan/common.c:419)<br /> __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657<br /> mm/slub.c:7140)<br /> alloc_netdev_mqs (net/core/dev.c:12012)<br /> rtnl_create_link (net/core/rtnetlink.c:3648)<br /> rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957<br /> net/core/rtnetlink.c:4072)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)<br /> <br /> Freed by task 169:<br /> kasan_save_stack (mm/kasan/common.c:58)<br /> kasan_save_track (./arch/x86/include/asm/current.h:25<br /> mm/kasan/common.c:70 mm/kasan/common.c:79)<br /> kasan_save_free_info (mm/kasan/generic.c:587)<br /> __kasan_slab_free (mm/kasan/common.c:287)<br /> kfree (mm/slub.c:6674 mm/slub.c:6882)<br /> rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957<br /> net/core/rtnetlink.c:4072)<br /> rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)<br /> netlink_rcv_skb (net/netlink/af_netlink.c:2550)<br /> netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)<br /> netlink_sendmsg (net/netlink/af_netlink.c:1894)<br /> __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)<br /> __x64_sys_sendto (net/socket.c:2209)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)