CVE-2023-53338

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lwt: Fix return values of BPF xmit ops<br /> <br /> BPF encap ops can return different types of positive values, such like<br /> NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function<br /> skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return<br /> values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in<br /> ip(6)_finish_output2. When this happens, skbs that have been freed would<br /> continue to the neighbor subsystem, causing use-after-free bug and<br /> kernel crashes.<br /> <br /> To fix the incorrect behavior, skb_do_redirect return values can be<br /> simply discarded, the same as tc-egress behavior. On the other hand,<br /> bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU<br /> information. Thus convert its return values to avoid the conflict with<br /> LWTUNNEL_XMIT_CONTINUE.