DEBIAN-CVE-2023-54004

In the Linux kernel, the following vulnerability has been resolved: udplite: Fix NULL pointer dereference in skmemraiseallocated(). syzbot reported [0] a null-ptr-deref in skgetrmem0() while using IPPROTOUDPLITE (0x88): 14:25:52 executing program 1: r0 = socket$inet6(0xa, 0x80002, 0x88) We had a similar report [1] for probably skmemoryallocatedadd() in _skmemraiseallocated(), and commit c915fe13cbaa ("udplite: fix NULL pointer dereference") fixed it by setting .memoryallocated for udpliteprot and udplitev6prot. To fix the variant, we need to set either .sysctlwmemoffset or .sysctlrmem. Now UDP and UDPLITE share the same value for .memoryallocated, so we use the same .sysctlwmemoffset for UDP and UDPLITE. [0]: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 RIP: 0010:skgetrmem0 include/net/sock.h:2907 [inline] RIP: 0010:skmemraiseallocated+0x806/0x17a0 net/core/sock.c:3006 Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000 RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8 RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000 R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0 Call Trace: <TASK> _skmemschedule+0x6c/0xe0 net/core/sock.c:3077 udprmemschedule net/ipv4/udp.c:1539 [inline] _udpenqueuescheduleskb+0x776/0xb30 net/ipv4/udp.c:1581 _udpv6queuercvskb net/ipv6/udp.c:666 [inline] udpv6queuercvoneskb+0xc39/0x16c0 net/ipv6/udp.c:775 udpv6queuercvskb+0x194/0xa10 net/ipv6/udp.c:793 _udp6libmcastdeliver net/ipv6/udp.c:906 [inline] _udp6librcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013 ip6protocoldeliverrcu+0x2e7/0x1250 net/ipv6/ip6input.c:437 ip6inputfinish+0x150/0x2f0 net/ipv6/ip6input.c:482 NFHOOK include/linux/netfilter.h:303 [inline] NFHOOK include/linux/netfilter.h:297 [inline] ip6input+0xa0/0xd0 net/ipv6/ip6input.c:491 ip6mcinput+0x40b/0xf50 net/ipv6/ip6input.c:585 dstinput include/net/dst.h:468 [inline] ip6rcvfinish net/ipv6/ip6input.c:79 [inline] NFHOOK include/linux/netfilter.h:303 [inline] NFHOOK include/linux/netfilter.h:297 [inline] ipv6rcv+0x250/0x380 net/ipv6/ip6input.c:309 _netifreceiveskbonecore+0x114/0x180 net/core/dev.c:5491 _netifreceiveskb+0x1f/0x1c0 net/core/dev.c:5605 netifreceiveskbinternal net/core/dev.c:5691 [inline] netifreceiveskb+0x133/0x7a0 net/core/dev.c:5750 tunrxbatched+0x4b3/0x7a0 drivers/net/tun.c:1553 tungetuser+0x2452/0x39c0 drivers/net/tun.c:1989 tunchrwriteiter+0xdf/0x200 drivers/net/tun.c:2035 callwriteiter include/linux/fs.h:1868 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x945/0xd50 fs/readwrite.c:584 ksyswrite+0x12b/0x250 fs/readwrite.c:637 dosyscall32irqson arch/x86/entry/common.c:112 [inline] _dofastsyscall32+0x65/0xf0 arch/x86/entry/common.c:178 dofastsyscall32+0x33/0x70 arch/x86/entry/common.c:203 entrySYSENTERcompatafterhwframe+0x70/0x82 RIP: 0023:0xf7f21579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 ---truncated---