CVE-2023-53500

In the Linux kernel, the following vulnerability has been resolved:

xfrm: fix slab-use-after-free in decode_session6

When the xfrm device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when the xfrm device sends IPv6 packets.

The stack information is as follows: BUG: KASAN: slab-use-after-free in decodesession6+0x103f/0x1890 Read of size 1 at addr ffff8881111458ef by task swapper/3/0 CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dumpstacklvl+0xd9/0x150 printaddressdescription.constprop.0+0x2c/0x3c0 kasanreport+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrmdecodesession+0x54/0xb0 xfrmixmit+0x173/0x1ca0 devhardstartxmit+0x187/0x700 schdirectxmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __devqueuexmit+0x2215/0x3b10 neighconnectedoutput+0x3c2/0x550 ip6finishoutput2+0x55a/0x1550 ip6finishoutput+0x6b9/0x1270 ip6output+0x1f1/0x540 ndiscsendskb+0xa63/0x1890 ndiscsendrs+0x132/0x6f0 addrconfrstimer+0x3f1/0x870 calltimerfn+0x1a0/0x580 expiretimers+0x29b/0x4b0 runtimersoftirq+0x326/0x910 __dosoftirq+0x1d4/0x905 irqexitrcu+0xb7/0x120 sysvecapictimerinterrupt+0x97/0xc0 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x1a/0x20 RIP: 0010:intelidlehlt+0x23/0x30 Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 <fa> 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4 RSP: 0018:ffffc90000197d78 EFLAGS: 00000246 RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5 RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50 RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001 R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000 cpuidleenterstate+0xd3/0x6f0 cpuidleenter+0x4e/0xa0 doidle+0x2fe/0x3c0 cpustartupentry+0x18/0x20 startsecondary+0x200/0x290 secondarystartup64noverify+0x167/0x16b </TASK> Allocated by task 939: kasansavestack+0x22/0x40 kasanset_track+0x25/0x30 __kasanslaballoc+0x7f/0x90 kmemcacheallocnode+0x1cd/0x410 kmallocreserve+0x165/0x270 __allocskb+0x129/0x330 inet6ifa_notify+0x118/0x230 _ipv6ifanotify+0x177/0xbe0 addrconfdadcompleted+0x133/0xe00 addrconfdadwork+0x764/0x1390 processonework+0xa32/0x16f0 workerthread+0x67d/0x10c0 kthread+0x344/0x440 retfromfork+0x1f/0x30 The buggy address belongs to the object at ffff888111145800 which belongs to the cache skbuffsmallhead of size 640 The buggy address is located 239 bytes inside of freed 640-byte region [ffff888111145800, ffff888111145a80)

As commit f855691975bb ("xfrm6: Fix the nexthdr offset in decodesession6.") showed, xfrmdecodesession was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets.