CVE-2023-53821

In the Linux kernel, the following vulnerability has been resolved:

ip6vti: fix slab-use-after-free in decodesession6

When ipv6vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ipv6vti device sends IPv6 packets.

The stack information is as follows: BUG: KASAN: slab-use-after-free in decodesession6+0x103f/0x1890 Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dumpstacklvl+0xd9/0x150 printaddressdescription.constprop.0+0x2c/0x3c0 kasanreport+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrmdecodesession+0x54/0xb0 vti6tnlxmit+0x3e6/0x1ee0 devhardstartxmit+0x187/0x700 schdirect_xmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __devqueuexmit+0x2215/0x3b10 neighconnectedoutput+0x3c2/0x550 ip6finishoutput2+0x55a/0x1550 ip6finishoutput+0x6b9/0x1270 ip6output+0x1f1/0x540 ndiscsendskb+0xa63/0x1890 ndiscsendrs+0x132/0x6f0 addrconfrstimer+0x3f1/0x870 calltimerfn+0x1a0/0x580 expiretimers+0x29b/0x4b0 runtimersoftirq+0x326/0x910 __dosoftirq+0x1d4/0x905 irqexitrcu+0xb7/0x120 sysvecapictimerinterrupt+0x97/0xc0 </IRQ> Allocated by task 9176: kasansavestack+0x22/0x40 kasansettrack+0x25/0x30 __kasanslaballoc+0x7f/0x90 kmemcacheallocnode+0x1cd/0x410 kmallocreserve+0x165/0x270 __allocskb+0x129/0x330 netlinksendmsg+0x9b1/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __syssendmsg+0xf7/0x1c0 dosyscall64+0x39/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd Freed by task 9176: kasansavestack+0x22/0x40 kasansettrack+0x25/0x30 kasansavefreeinfo+0x2b/0x40 ____kasanslabfree+0x160/0x1c0 slabfreefreelisthook+0x11b/0x220 kmemcachefree+0xf0/0x490 skbfreehead+0x17f/0x1b0 skbreleasedata+0x59c/0x850 consumeskb+0xd2/0x170 netlinkunicast+0x54f/0x7f0 netlinksendmsg+0x926/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 _syssendmsg+0xf7/0x1c0 dosyscall64+0x39/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd The buggy address belongs to the object at ffff88802e08ed00 which belongs to the cache skbuffsmallhead of size 640 The buggy address is located 194 bytes inside of freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)

As commit f855691975bb ("xfrm6: Fix the nexthdr offset in decodesession6.") showed, xfrmdecodesession was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets.