CVE-2023-53500

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: fix slab-use-after-free in decode_session6<br /> <br /> When the xfrm device is set to the qdisc of the sfb type, the cb field<br /> of the sent skb may be modified during enqueuing. Then,<br /> slab-use-after-free may occur when the xfrm device sends IPv6 packets.<br /> <br /> The stack information is as follows:<br /> BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890<br /> Read of size 1 at addr ffff8881111458ef by task swapper/3/0<br /> CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xd9/0x150<br /> print_address_description.constprop.0+0x2c/0x3c0<br /> kasan_report+0x11d/0x130<br /> decode_session6+0x103f/0x1890<br /> __xfrm_decode_session+0x54/0xb0<br /> xfrmi_xmit+0x173/0x1ca0<br /> dev_hard_start_xmit+0x187/0x700<br /> sch_direct_xmit+0x1a3/0xc30<br /> __qdisc_run+0x510/0x17a0<br /> __dev_queue_xmit+0x2215/0x3b10<br /> neigh_connected_output+0x3c2/0x550<br /> ip6_finish_output2+0x55a/0x1550<br /> ip6_finish_output+0x6b9/0x1270<br /> ip6_output+0x1f1/0x540<br /> ndisc_send_skb+0xa63/0x1890<br /> ndisc_send_rs+0x132/0x6f0<br /> addrconf_rs_timer+0x3f1/0x870<br /> call_timer_fn+0x1a0/0x580<br /> expire_timers+0x29b/0x4b0<br /> run_timer_softirq+0x326/0x910<br /> __do_softirq+0x1d4/0x905<br /> irq_exit_rcu+0xb7/0x120<br /> sysvec_apic_timer_interrupt+0x97/0xc0<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> RIP: 0010:intel_idle_hlt+0x23/0x30<br /> Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4<br /> RSP: 0018:ffffc90000197d78 EFLAGS: 00000246<br /> RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5<br /> RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50<br /> RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d<br /> R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001<br /> R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000<br /> cpuidle_enter_state+0xd3/0x6f0<br /> cpuidle_enter+0x4e/0xa0<br /> do_idle+0x2fe/0x3c0<br /> cpu_startup_entry+0x18/0x20<br /> start_secondary+0x200/0x290<br /> secondary_startup_64_no_verify+0x167/0x16b<br /> <br /> Allocated by task 939:<br /> kasan_save_stack+0x22/0x40<br /> kasan_set_track+0x25/0x30<br /> __kasan_slab_alloc+0x7f/0x90<br /> kmem_cache_alloc_node+0x1cd/0x410<br /> kmalloc_reserve+0x165/0x270<br /> __alloc_skb+0x129/0x330<br /> inet6_ifa_notify+0x118/0x230<br /> __ipv6_ifa_notify+0x177/0xbe0<br /> addrconf_dad_completed+0x133/0xe00<br /> addrconf_dad_work+0x764/0x1390<br /> process_one_work+0xa32/0x16f0<br /> worker_thread+0x67d/0x10c0<br /> kthread+0x344/0x440<br /> ret_from_fork+0x1f/0x30<br /> The buggy address belongs to the object at ffff888111145800<br /> which belongs to the cache skbuff_small_head of size 640<br /> The buggy address is located 239 bytes inside of<br /> freed 640-byte region [ffff888111145800, ffff888111145a80)<br /> <br /> As commit f855691975bb ("xfrm6: Fix the nexthdr offset in<br /> _decode_session6.") showed, xfrm_decode_session was originally intended<br /> only for the receive path. IP6CB(skb)-&gt;nhoff is not set during<br /> transmission. Therefore, set the cb field in the skb to 0 before<br /> sending packets.