CVE-2023-53821

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6_vti: fix slab-use-after-free in decode_session6<br /> <br /> When ipv6_vti device is set to the qdisc of the sfb type, the cb field<br /> of the sent skb may be modified during enqueuing. Then,<br /> slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.<br /> <br /> The stack information is as follows:<br /> BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890<br /> Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0<br /> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xd9/0x150<br /> print_address_description.constprop.0+0x2c/0x3c0<br /> kasan_report+0x11d/0x130<br /> decode_session6+0x103f/0x1890<br /> __xfrm_decode_session+0x54/0xb0<br /> vti6_tnl_xmit+0x3e6/0x1ee0<br /> dev_hard_start_xmit+0x187/0x700<br /> sch_direct_xmit+0x1a3/0xc30<br /> __qdisc_run+0x510/0x17a0<br /> __dev_queue_xmit+0x2215/0x3b10<br /> neigh_connected_output+0x3c2/0x550<br /> ip6_finish_output2+0x55a/0x1550<br /> ip6_finish_output+0x6b9/0x1270<br /> ip6_output+0x1f1/0x540<br /> ndisc_send_skb+0xa63/0x1890<br /> ndisc_send_rs+0x132/0x6f0<br /> addrconf_rs_timer+0x3f1/0x870<br /> call_timer_fn+0x1a0/0x580<br /> expire_timers+0x29b/0x4b0<br /> run_timer_softirq+0x326/0x910<br /> __do_softirq+0x1d4/0x905<br /> irq_exit_rcu+0xb7/0x120<br /> sysvec_apic_timer_interrupt+0x97/0xc0<br /> <br /> Allocated by task 9176:<br /> kasan_save_stack+0x22/0x40<br /> kasan_set_track+0x25/0x30<br /> __kasan_slab_alloc+0x7f/0x90<br /> kmem_cache_alloc_node+0x1cd/0x410<br /> kmalloc_reserve+0x165/0x270<br /> __alloc_skb+0x129/0x330<br /> netlink_sendmsg+0x9b1/0xe30<br /> sock_sendmsg+0xde/0x190<br /> ____sys_sendmsg+0x739/0x920<br /> ___sys_sendmsg+0x110/0x1b0<br /> __sys_sendmsg+0xf7/0x1c0<br /> do_syscall_64+0x39/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> Freed by task 9176:<br /> kasan_save_stack+0x22/0x40<br /> kasan_set_track+0x25/0x30<br /> kasan_save_free_info+0x2b/0x40<br /> ____kasan_slab_free+0x160/0x1c0<br /> slab_free_freelist_hook+0x11b/0x220<br /> kmem_cache_free+0xf0/0x490<br /> skb_free_head+0x17f/0x1b0<br /> skb_release_data+0x59c/0x850<br /> consume_skb+0xd2/0x170<br /> netlink_unicast+0x54f/0x7f0<br /> netlink_sendmsg+0x926/0xe30<br /> sock_sendmsg+0xde/0x190<br /> ____sys_sendmsg+0x739/0x920<br /> ___sys_sendmsg+0x110/0x1b0<br /> __sys_sendmsg+0xf7/0x1c0<br /> do_syscall_64+0x39/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> The buggy address belongs to the object at ffff88802e08ed00<br /> which belongs to the cache skbuff_small_head of size 640<br /> The buggy address is located 194 bytes inside of<br /> freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)<br /> <br /> As commit f855691975bb ("xfrm6: Fix the nexthdr offset in<br /> _decode_session6.") showed, xfrm_decode_session was originally intended<br /> only for the receive path. IP6CB(skb)-&gt;nhoff is not set during<br /> transmission. Therefore, set the cb field in the skb to 0 before<br /> sending packets.