CVE-2023-52906

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: act_mpls: Fix warning during failed attribute validation<br /> <br /> The &amp;#39;TCA_MPLS_LABEL&amp;#39; attribute is of &amp;#39;NLA_U32&amp;#39; type, but has a<br /> validation type of &amp;#39;NLA_VALIDATE_FUNCTION&amp;#39;. This is an invalid<br /> combination according to the comment above &amp;#39;struct nla_policy&amp;#39;:<br /> <br /> "<br /> Meaning of `validate&amp;#39; field, use via NLA_POLICY_VALIDATE_FN:<br /> NLA_BINARY Validation function called for the attribute.<br /> All other Unused - but note that it&amp;#39;s a union<br /> "<br /> <br /> This can trigger the warning [1] in nla_get_range_unsigned() when<br /> validation of the attribute fails. Despite being of &amp;#39;NLA_U32&amp;#39; type, the<br /> associated &amp;#39;min&amp;#39;/&amp;#39;max&amp;#39; fields in the policy are negative as they are<br /> aliased by the &amp;#39;validate&amp;#39; field.<br /> <br /> Fix by changing the attribute type to &amp;#39;NLA_BINARY&amp;#39; which is consistent<br /> with the above comment and all other users of NLA_POLICY_VALIDATE_FN().<br /> As a result, move the length validation to the validation function.<br /> <br /> No regressions in MPLS tests:<br /> <br /> # ./tdc.py -f tc-tests/actions/mpls.json<br /> [...]<br /> # echo $?<br /> 0<br /> <br /> [1]<br /> WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118<br /> nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117<br /> Modules linked in:<br /> CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117<br /> [...]<br /> Call Trace:<br /> <br /> __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310<br /> netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411<br /> netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline]<br /> netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506<br /> netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546<br /> rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg net/socket.c:734 [inline]<br /> ____sys_sendmsg+0x38f/0x500 net/socket.c:2482<br /> ___sys_sendmsg net/socket.c:2536 [inline]<br /> __sys_sendmsg+0x197/0x230 net/socket.c:2565<br /> __do_sys_sendmsg net/socket.c:2574 [inline]<br /> __se_sys_sendmsg net/socket.c:2572 [inline]<br /> __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd