CVE-2023-52906
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52906
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52906.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52906
- Downstream
- Related
- Published
- 2024-08-21T06:10:47.121Z
- Modified
- 2025-11-28T02:35:39.354518Z
- Summary
- net/sched: act_mpls: Fix warning during failed attribute validation
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_mpls: Fix warning during failed attribute validation
The 'TCAMPLSLABEL' attribute is of 'NLAU32' type, but has a validation type of 'NLAVALIDATEFUNCTION'. This is an invalid combination according to the comment above 'struct nlapolicy':
" Meaning of `validate' field, use via NLAPOLICYVALIDATEFN: NLABINARY Validation function called for the attribute. All other Unused - but note that it's a union "
This can trigger the warning [1] in nlagetrangeunsigned() when validation of the attribute fails. Despite being of 'NLAU32' type, the associated 'min'/'max' fields in the policy are negative as they are aliased by the 'validate' field.
Fix by changing the attribute type to 'NLABINARY' which is consistent with the above comment and all other users of NLAPOLICYVALIDATEFN(). As a result, move the length validation to the validation function.
No regressions in MPLS tests:
# ./tdc.py -f tc-tests/actions/mpls.json [...] # echo $? 0
[1] WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118 nlagetrangeunsigned+0x1d8/0x1e0 lib/nlattr.c:117 Modules linked in: CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:nlagetrangeunsigned+0x1d8/0x1e0 lib/nlattr.c:117 [...] Call Trace: <TASK> netlinkpolicydumpwriteattr+0x23d/0x990 net/netlink/policy.c:310 netlinkpolicydumpwriteattr+0x22/0x30 net/netlink/policy.c:411 netlinkacktlvfill net/netlink/afnetlink.c:2454 [inline] netlinkack+0x546/0x760 net/netlink/afnetlink.c:2506 netlinkrcvskb+0x1b7/0x240 net/netlink/afnetlink.c:2546 rtnetlinkrcv+0x18/0x20 net/core/rtnetlink.c:6109 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0x5e9/0x6b0 net/netlink/afnetlink.c:1345 netlinksendmsg+0x739/0x860 net/netlink/afnetlink.c:1921 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] syssendmsg+0x38f/0x500 net/socket.c:2482 _syssendmsg net/socket.c:2536 [inline] _syssendmsg+0x197/0x230 net/socket.c:2565 _dosyssendmsg net/socket.c:2574 [inline] _sesyssendmsg net/socket.c:2572 [inline] _x64syssendmsg+0x42/0x50 net/socket.c:2572 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52906.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61
- https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457
- https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644
- https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2
- https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52906.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-52906
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2a2ea50870baa3fb4de0872c5b60828138654ca7Fixed2b157c3c5d6b8ddca48d53c9e662032f65af8d61Fixed453277feb41c2235cf2c0de9209eef962c401457Fixed9e2c38827cdc6fdd3bb375c8607fc04d289756f9Fixed8a97b544b98e44f596219ebb290fd2ba2fd5d644Fixed9e17f99220d111ea031b44153fdfe364b0024ff2