CVE-2023-52906 Information
Description
In the Linux kernel the following vulnerability has been resolved:
net/sched: act_mpls: Fix warning during failed attribute validation
The ‘TCA_MPLS_LABEL’ attribute is of ‘NLA_U32’ type but has a validation type of ‘NLA_VALIDATE_FUNCTION’. This is an invalid combination according to the comment above ‘struct nla_policy’:
\nMeaning of `validate’ field use via NLA_POLICY_VALIDATE_FN: NLA_BINARY Validation function called for the attribute. All other Unused - but note that it’s a union \n This can trigger the warning [1] in nla_get_range_unsigned() when validation of the attribute fails. Despite being of ‘NLA_U32’ type the associated ‘min’/‘max’ fields in the policy are negative as they are aliased by the ‘validate’ field.
Fix by changing the attribute type to ‘NLA_BINARY’ which is consistent with the above comment and all other users of NLA_POLICY_VALIDATE_FN(). As a result move the length validation to the validation function.
No regressions in MPLS tests:
./tdc.py -f tc-tests/actions/mpls.json […] echo $? 0
[1]
WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118
nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
Modules linked in:
CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 3
Hardware name: QEMU Standard PC (i440FX + PIIX 1996) BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117
[…]
Call Trace:
Reference
https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61 https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457 https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9 https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644 https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2
Share on: