CVE-2023-53147

In the Linux kernel, the following vulnerability has been resolved:

xfrm: add NULL check in xfrmupdateae_params

Normally, x->replayesn and x->preplayesn should be allocated at xfrmallocreplaystateesn(...) in xfrmstateconstruct(...), hence the xfrmupdateaeparams(...) is okay to update them. However, the current implementation of xfrmnew_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below.

BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? pagefaultoops+0x1e8/0x500 ? __pfxisprefetch.constprop.0+0x10/0x10 ? __pfxpagefaultoops+0x10/0x10 ? rawspinunlockirqrestore+0x11/0x40 ? fixupexception+0x36/0x460 ? rawspinunlockirqrestore+0x11/0x40 ? excpagefault+0x5e/0xc0 ? asmexcpagefault+0x26/0x30 ? xfrmupdateaeparams+0xd1/0x260 ? memcpyorig+0xad/0x140 ? pfxrawspinlockbh+0x10/0x10 xfrmupdateaeparams+0xe7/0x260 xfrmnew_ae+0x298/0x4e0 ? __pfxxfrmnew_ae+0x10/0x10 ? __pfxxfrmnewae+0x10/0x10 xfrmuserrcvmsg+0x25a/0x410 ? __pfxxfrmuserrcvmsg+0x10/0x10 ? __allocskb+0xcf/0x210 ? stacktracesave+0x90/0xd0 ? filterirq_stacks+0x1c/0x70 ? __stackdepotsave+0x39/0x4e0 ? __kasanslabfree+0x10a/0x190 ? kmemcachefree+0x9c/0x340 ? netlinkrecvmsg+0x23c/0x660 ? sockrecvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64sysrecvfrom+0x71/0x90 ? dosyscall64+0x3f/0x90 ? entrySYSCALL64afterhwframe+0x72/0xdc ? copyout+0x3e/0x50 netlinkrcvskb+0xd6/0x210 ? __pfxxfrmuserrcvmsg+0x10/0x10 ? __pfxnetlinkrcv_skb+0x10/0x10 ? __pfxsockhasperm+0x10/0x10 ? mutexlock+0x8d/0xe0 ? __pfxmutexlock+0x10/0x10 xfrm_netlinkrcv+0x44/0x50 netlinkunicast+0x36f/0x4c0 ? __pfxnetlinkunicast+0x10/0x10 ? netlinkrecvmsg+0x500/0x660 netlinksendmsg+0x3b7/0x700

This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrmupdateae_params to fix the NPD.