CVE-2023-52796

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipvlan: add ipvlan_route_v6_outbound() helper<br /> <br /> Inspired by syzbot reports using a stack of multiple ipvlan devices.<br /> <br /> Reduce stack size needed in ipvlan_process_v6_outbound() by moving<br /> the flowi6 struct used for the route lookup in an non inlined<br /> helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,<br /> immediately reclaimed.<br /> <br /> Also make sure ipvlan_process_v4_outbound() is not inlined.<br /> <br /> We might also have to lower MAX_NEST_DEV, because only syzbot uses<br /> setups with more than four stacked devices.<br /> <br /> BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)<br /> stack guard page: 0000 [#1] SMP KASAN<br /> CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023<br /> RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188<br /> Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89<br /> RSP: 0018:ffffc9000e804000 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2<br /> RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568<br /> RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c<br /> R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000<br /> FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> <br /> <br /> [] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31<br /> [] instrument_atomic_read include/linux/instrumented.h:72 [inline]<br /> [] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]<br /> [] cpumask_test_cpu include/linux/cpumask.h:506 [inline]<br /> [] cpu_online include/linux/cpumask.h:1092 [inline]<br /> [] trace_lock_acquire include/trace/events/lock.h:24 [inline]<br /> [] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632<br /> [] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306<br /> [] rcu_read_lock include/linux/rcupdate.h:747 [inline]<br /> [] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221<br /> [] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606<br /> [] pol_lookup_func include/net/ip6_fib.h:584 [inline]<br /> [] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116<br /> [] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638<br /> [] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651<br /> [] ip6_route_output include/net/ip6_route.h:100 [inline]<br /> [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]<br /> [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]<br /> [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]<br /> [] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677<br /> [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229<br /> [] netdev_start_xmit include/linux/netdevice.h:4966 [inline]<br /> [] xmit_one net/core/dev.c:3644 [inline]<br /> [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660<br /> [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324<br /> [] dev_queue_xmit include/linux/netdevice.h:3067 [inline]<br /> [] neigh_hh_output include/net/neighbour.h:529 [inline]<br /> [