CVE-2023-53192

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vxlan: Fix nexthop hash size<br /> <br /> The nexthop code expects a 31 bit hash, such as what is returned by<br /> fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash<br /> returned by skb_get_hash() can lead to problems related to the fact that<br /> &amp;#39;int hash&amp;#39; is a negative number when the MSB is set.<br /> <br /> In the case of hash threshold nexthop groups, nexthop_select_path_hthr()<br /> will disproportionately select the first nexthop group entry. In the case<br /> of resilient nexthop groups, nexthop_select_path_res() may do an out of<br /> bounds access in nh_buckets[], for example:<br /> hash = -912054133<br /> num_nh_buckets = 2<br /> bucket_index = 65535<br /> <br /> which leads to the following panic:<br /> <br /> BUG: unable to handle page fault for address: ffffc900025910c8<br /> PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0<br /> Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> Workqueue: ipv6_addrconf addrconf_dad_work<br /> RIP: 0010:nexthop_select_path+0x197/0xbf0<br /> Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85<br /> RSP: 0018:ffff88810c36f260 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77<br /> RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8<br /> RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219<br /> R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0<br /> R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900<br /> FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x23/0x70<br /> ? page_fault_oops+0x1ee/0x5c0<br /> ? __pfx_is_prefetch.constprop.0+0x10/0x10<br /> ? __pfx_page_fault_oops+0x10/0x10<br /> ? search_bpf_extables+0xfe/0x1c0<br /> ? fixup_exception+0x3b/0x470<br /> ? exc_page_fault+0xf6/0x110<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? nexthop_select_path+0x197/0xbf0<br /> ? nexthop_select_path+0x197/0xbf0<br /> ? lock_is_held_type+0xe7/0x140<br /> vxlan_xmit+0x5b2/0x2340<br /> ? __lock_acquire+0x92b/0x3370<br /> ? __pfx_vxlan_xmit+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_register_lock_class+0x10/0x10<br /> ? skb_network_protocol+0xce/0x2d0<br /> ? dev_hard_start_xmit+0xca/0x350<br /> ? __pfx_vxlan_xmit+0x10/0x10<br /> dev_hard_start_xmit+0xca/0x350<br /> __dev_queue_xmit+0x513/0x1e20<br /> ? __pfx___dev_queue_xmit+0x10/0x10<br /> ? __pfx_lock_release+0x10/0x10<br /> ? mark_held_locks+0x44/0x90<br /> ? skb_push+0x4c/0x80<br /> ? eth_header+0x81/0xe0<br /> ? __pfx_eth_header+0x10/0x10<br /> ? neigh_resolve_output+0x215/0x310<br /> ? ip6_finish_output2+0x2ba/0xc90<br /> ip6_finish_output2+0x2ba/0xc90<br /> ? lock_release+0x236/0x3e0<br /> ? ip6_mtu+0xbb/0x240<br /> ? __pfx_ip6_finish_output2+0x10/0x10<br /> ? find_held_lock+0x83/0xa0<br /> ? lock_is_held_type+0xe7/0x140<br /> ip6_finish_output+0x1ee/0x780<br /> ip6_output+0x138/0x460<br /> ? __pfx_ip6_output+0x10/0x10<br /> ? __pfx___lock_acquire+0x10/0x10<br /> ? __pfx_ip6_finish_output+0x10/0x10<br /> NF_HOOK.constprop.0+0xc0/0x420<br /> ? __pfx_NF_HOOK.constprop.0+0x10/0x10<br /> ? ndisc_send_skb+0x2c0/0x960<br /> ? __pfx_lock_release+0x10/0x10<br /> ? __local_bh_enable_ip+0x93/0x110<br /> ? lock_is_held_type+0xe7/0x140<br /> ndisc_send_skb+0x4be/0x960<br /> ? __pfx_ndisc_send_skb+0x10/0x10<br /> ? mark_held_locks+0x65/0x90<br /> ? find_held_lock+0x83/0xa0<br /> ndisc_send_ns+0xb0/0x110<br /> ? __pfx_ndisc_send_ns+0x10/0x10<br /> addrconf_dad_work+0x631/0x8e0<br /> ? lock_acquire+0x180/0x3f0<br /> ? __pfx_addrconf_dad_work+0x10/0x10<br /> ? mark_held_locks+0x24/0x90<br /> process_one_work+0x582/0x9c0<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? __pfx_do_raw_spin_lock+0x10/0x10<br /> ? mark_held_locks+0x24/0x90<br /> worker_thread+0x93/0x630<br /> ? __kthread_parkme+0xdc/0x100<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x1a5/0x1e0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x60<br /> <br /> ---truncated---