| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120950-CVE-2023-53821-9542@gregkh>
Date: Tue, 9 Dec 2025 10:31:05 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53821: ip6_vti: fix slab-use-after-free in decode_session6
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix slab-use-after-free in decode_session6
When ipv6_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
vti6_tnl_xmit+0x3e6/0x1ee0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
Allocated by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
netlink_sendmsg+0x9b1/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0x160/0x1c0
slab_free_freelist_hook+0x11b/0x220
kmem_cache_free+0xf0/0x490
skb_free_head+0x17f/0x1b0
skb_release_data+0x59c/0x850
consume_skb+0xd2/0x170
netlink_unicast+0x54f/0x7f0
netlink_sendmsg+0x926/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88802e08ed00
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 194 bytes inside of
freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
The Linux kernel CVE team has assigned CVE-2023-53821 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 4.14.324 with commit 0f0ab8d52ee0062b28367dea23c29e254a26d7db
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 4.19.293 with commit fa6c6c04f6c9b21b315023f487e5a07ae7fcf647
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 5.4.255 with commit eb47e612e59c358c3968a92f90dd36c78c9a2106
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 5.10.192 with commit ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 5.15.128 with commit a1639a82ce14af76b6419778d343ccbff86ee626
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 6.1.47 with commit 55ad2309205cc00c585344374c7472420e1b2c12
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 6.4.12 with commit c070688bfbe7759e61e697e421b2a331b0dd74bc
Issue introduced in 3.19 with commit f855691975bb06373a98711e4cfe2c224244b536 and fixed in 6.5 with commit 9fd41f1ba638938c9a1195d09bc6fa3be2712f25
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53821
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/ipv6/ip6_vti.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/0f0ab8d52ee0062b28367dea23c29e254a26d7db
https://git.kernel.org/stable/c/fa6c6c04f6c9b21b315023f487e5a07ae7fcf647
https://git.kernel.org/stable/c/eb47e612e59c358c3968a92f90dd36c78c9a2106
https://git.kernel.org/stable/c/ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36
https://git.kernel.org/stable/c/a1639a82ce14af76b6419778d343ccbff86ee626
https://git.kernel.org/stable/c/55ad2309205cc00c585344374c7472420e1b2c12
https://git.kernel.org/stable/c/c070688bfbe7759e61e697e421b2a331b0dd74bc
https://git.kernel.org/stable/c/9fd41f1ba638938c9a1195d09bc6fa3be2712f25
Powered by blists - more mailing lists