CVE-2023-53843
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: reject negative ifindex
Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned ifindexes and let syzbot surface a latent problem in ovs. ovs does not validate ifindex, making it possible to create netdev ports with negative ifindex values. It's easy to repro with YNL:
$ ./cli.py –spec netlink/specs/ovs_datapath.yaml
–do new
–json '{"upcall-pid": 1, "name":"my-dp"}'
$ ./cli.py –spec netlink/specs/ovs_vport.yaml
–do new
–json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
$ ip link show -65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff …
Validate the inputs. Now the second command correctly returns:
$ ./cli.py –spec netlink/specs/ovs_vport.yaml
–do new
–json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
lib.ynl.NlError: Netlink error: Numerical result out of range nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'}
Accept 0 since it used to be silently ignored.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 54c4ef34c4b6f9720fded620e2893894f9f2c554 < c965a58376146dcfdda186819462e8eb3aadef3a | affected |
| Linux | Linux | 54c4ef34c4b6f9720fded620e2893894f9f2c554 < 881faff9e548a7ddfb11595be7c1c649217d27db | affected |
| Linux | Linux | 54c4ef34c4b6f9720fded620e2893894f9f2c554 < a552bfa16bab4ce901ee721346a28c4e483f4066 | affected |
| Linux | Linux | 6.1 | affected |
| Linux | Linux | 0 < 6.1 | unaffected |
| Linux | Linux | 6.1.47 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.12 <= 6.4.* | unaffected |
| Linux | Linux | 6.5 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a
- https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db
- https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.