CVE-2023-53369

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: dcb: choose correct policy to parse DCB_ATTR_BCN

The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code

static int dcbnl_bcn_setcfg(…) { … ret = nla_parse_nested_deprecated(…, dcbnl_pfc_up_nest, .. ) // !!! dcbnl_pfc_up_nest for attributes // DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs … for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) { // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs … value_byte = nla_get_u8(data[i]); … } … for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) { // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs … value_int = nla_get_u32(data[i]); … } … }

That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the following access code fetch each nlattr as dcbnl_bcn_attrs attributes. By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find the beginning part of these two policies are "same".

static const struct nla_policy dcbnl_pfc_up_nest[…] = { [DCB_PFC_UP_ATTR_0] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_1] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_2] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_3] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_4] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_5] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_6] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_7] = {.type = NLA_U8}, [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG}, };

static const struct nla_policy dcbnl_bcn_nest[…] = { [DCB_BCN_ATTR_RP_0] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_1] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_2] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_3] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_4] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_5] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_6] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_7] = {.type = NLA_U8}, [DCB_BCN_ATTR_RP_ALL] = {.type = NLA_FLAG}, // from here is somewhat different [DCB_BCN_ATTR_BCNA_0] = {.type = NLA_U32}, … [DCB_BCN_ATTR_ALL] = {.type = NLA_FLAG}, };

Therefore, the current code is buggy and this nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.

Hence use the correct policy dcbnl_bcn_nest to parse the nested tb[DCB_ATTR_BCN] TLV.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < 5b3dbedb8d4a0f9f7ce904d76b885438af2a21f9affected
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < 8e309f43d0ca4051d20736c06a6f84bbddd881daaffected
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < a0da2684db18dead3bcee12fb185e596e3d63c2baffected
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < ecff20e193207b44fdbfe64d7de89890f0a7fe6caffected
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < 199fde04bd875d28b3a5ca525eaaa004eec6e947affected
LinuxLinux859ee3c43812051e21816c6d6d4cc04fb7ce9b2e < 31d49ba033095f6e8158c60f69714a500922e0c3affected
LinuxLinux2.6.29affected
LinuxLinux0 < 2.6.29unaffected
LinuxLinux5.4.253 <= 5.4.*unaffected
LinuxLinux5.10.190 <= 5.10.*unaffected
LinuxLinux5.15.126 <= 5.15.*unaffected
LinuxLinux6.1.45 <= 6.1.*unaffected
LinuxLinux6.4.10 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References