CVE-2023-52906

Summary

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mpls: Fix warning during failed attribute validation

The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid combination according to the comment above 'struct nla_policy':

" Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN: NLA_BINARY Validation function called for the attribute. All other Unused - but note that it's a union "

This can trigger the warning [1] in nla_get_range_unsigned() when validation of the attribute fails. Despite being of 'NLA_U32' type, the associated 'min'/'max' fields in the policy are negative as they are aliased by the 'validate' field.

Fix by changing the attribute type to 'NLA_BINARY' which is consistent with the above comment and all other users of NLA_POLICY_VALIDATE_FN(). As a result, move the length validation to the validation function.

No regressions in MPLS tests:

./tdc.py -f tc-tests/actions/mpls.json

[…]

echo $?

0

[1] WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118 nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 Modules linked in: CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 […] Call Trace: <TASK> __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310 netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411 netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline] netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506 netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2482 ___sys_sendmsg net/socket.c:2536 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2565 __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg net/socket.c:2572 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2a2ea50870baa3fb4de0872c5b60828138654ca7 < 2b157c3c5d6b8ddca48d53c9e662032f65af8d61affected
LinuxLinux2a2ea50870baa3fb4de0872c5b60828138654ca7 < 453277feb41c2235cf2c0de9209eef962c401457affected
LinuxLinux2a2ea50870baa3fb4de0872c5b60828138654ca7 < 9e2c38827cdc6fdd3bb375c8607fc04d289756f9affected
LinuxLinux2a2ea50870baa3fb4de0872c5b60828138654ca7 < 8a97b544b98e44f596219ebb290fd2ba2fd5d644affected
LinuxLinux2a2ea50870baa3fb4de0872c5b60828138654ca7 < 9e17f99220d111ea031b44153fdfe364b0024ff2affected
LinuxLinux5.3affected
LinuxLinux0 < 5.3unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.164 <= 5.10.*unaffected
LinuxLinux5.15.89 <= 5.15.*unaffected
LinuxLinux6.1.7 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References