CVE-2023-52906

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52906
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52906.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52906
Related
Published
2024-08-21T07:15:06Z
Modified
2024-09-13T14:45:38.569357Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mpls: Fix warning during failed attribute validation

The 'TCAMPLSLABEL' attribute is of 'NLAU32' type, but has a validation type of 'NLAVALIDATEFUNCTION'. This is an invalid combination according to the comment above 'struct nlapolicy':

" Meaning of `validate' field, use via NLAPOLICYVALIDATEFN: NLABINARY Validation function called for the attribute. All other Unused - but note that it's a union "

This can trigger the warning [1] in nlagetrangeunsigned() when validation of the attribute fails. Despite being of 'NLAU32' type, the associated 'min'/'max' fields in the policy are negative as they are aliased by the 'validate' field.

Fix by changing the attribute type to 'NLABINARY' which is consistent with the above comment and all other users of NLAPOLICYVALIDATEFN(). As a result, move the length validation to the validation function.

No regressions in MPLS tests:

# ./tdc.py -f tc-tests/actions/mpls.json [...] # echo $? 0

[1] WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118 nlagetrangeunsigned+0x1d8/0x1e0 lib/nlattr.c:117 Modules linked in: CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:nlagetrangeunsigned+0x1d8/0x1e0 lib/nlattr.c:117 [...] Call Trace: <TASK> netlinkpolicydumpwriteattr+0x23d/0x990 net/netlink/policy.c:310 netlinkpolicydumpwriteattr+0x22/0x30 net/netlink/policy.c:411 netlinkacktlvfill net/netlink/afnetlink.c:2454 [inline] netlinkack+0x546/0x760 net/netlink/afnetlink.c:2506 netlinkrcvskb+0x1b7/0x240 net/netlink/afnetlink.c:2546 rtnetlinkrcv+0x18/0x20 net/core/rtnetlink.c:6109 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0x5e9/0x6b0 net/netlink/afnetlink.c:1345 netlinksendmsg+0x739/0x860 net/netlink/afnetlink.c:1921 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] syssendmsg+0x38f/0x500 net/socket.c:2482 _syssendmsg net/socket.c:2536 [inline] _syssendmsg+0x197/0x230 net/socket.c:2565 _dosyssendmsg net/socket.c:2574 [inline] _sesyssendmsg net/socket.c:2572 [inline] _x64syssendmsg+0x42/0x50 net/socket.c:2572 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}