Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]ip6_vti: fix slab-use-after-free in decode_session6[EOL][EOL]When ipv6_vti device is set to the qdisc of the sfb type, the cb field[EOL]of the sent skb may be modified during enqueuing. Then,[EOL]slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.[EOL][EOL]The stack information is as follows:[EOL]BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890[EOL]Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0[EOL]CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014[EOL]Call Trace:[EOL]<IRQ>[EOL]dump_stack_lvl+0xd9/0x150[EOL]print_address_description.constprop.0+0x2c/0x3c0[EOL]kasan_report+0x11d/0x130[EOL]decode_session6+0x103f/0x1890[EOL]__xfrm_decode_session+0x54/0xb0[EOL]vti6_tnl_xmit+0x3e6/0x1ee0[EOL]dev_hard_start_xmit+0x187/0x700[EOL]sch_direct_xmit+0x1a3/0xc30[EOL]__qdisc_run+0x510/0x17a0[EOL]__dev_queue_xmit+0x2215/0x3b10[EOL]neigh_connected_output+0x3c2/0x550[EOL]ip6_finish_output2+0x55a/0x1550[EOL]ip6_finish_output+0x6b9/0x1270[EOL]ip6_output+0x1f1/0x540[EOL]ndisc_send_skb+0xa63/0x1890[EOL]ndisc_send_rs+0x132/0x6f0[EOL]addrconf_rs_timer+0x3f1/0x870[EOL]call_timer_fn+0x1a0/0x580[EOL]expire_timers+0x29b/0x4b0[EOL]run_timer_softirq+0x326/0x910[EOL]__do_softirq+0x1d4/0x905[EOL]irq_exit_rcu+0xb7/0x120[EOL]sysvec_apic_timer_interrupt+0x97/0xc0[EOL]</IRQ>[EOL]Allocated by task 9176:[EOL]kasan_save_stack+0x22/0x40[EOL]kasan_set_track+0x25/0x30[EOL]__kasan_slab_alloc+0x7f/0x90[EOL]kmem_cache_alloc_node+0x1cd/0x410[EOL]kmalloc_reserve+0x165/0x270[EOL]__alloc_skb+0x129/0x330[EOL]netlink_sendmsg+0x9b1/0xe30[EOL]sock_sendmsg+0xde/0x190[EOL]____sys_sendmsg+0x739/0x920[EOL]___sys_sendmsg+0x110/0x1b0[EOL]__sys_sendmsg+0xf7/0x1c0[EOL]do_syscall_64+0x39/0xb0[EOL]entry_SYSCALL_64_after_hwframe+0x63/0xcd[EOL]Freed by task 9176:[EOL]kasan_save_stack+0x22/0x40[EOL]kasan_set_track+0x25/0x30[EOL]kasan_save_free_info+0x2b/0x40[EOL]____kasan_slab_free+0x160/0x1c0[EOL]slab_free_freelist_hook+0x11b/0x220[EOL]kmem_cache_free+0xf0/0x490[EOL]skb_free_head+0x17f/0x1b0[EOL]skb_release_data+0x59c/0x850[EOL]consume_skb+0xd2/0x170[EOL]netlink_unicast+0x54f/0x7f0[EOL]netlink_sendmsg+0x926/0xe30[EOL]sock_sendmsg+0xde/0x190[EOL]____sys_sendmsg+0x739/0x920[EOL]___sys_sendmsg+0x110/0x1b0[EOL]__sys_sendmsg+0xf7/0x1c0[EOL]do_syscall_64+0x39/0xb0[EOL]entry_SYSCALL_64_after_hwframe+0x63/0xcd[EOL]The buggy address belongs to the object at ffff88802e08ed00[EOL]which belongs to the cache skbuff_small_head of size 640[EOL]The buggy address is located 194 bytes inside of[EOL]freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)[EOL][EOL]As commit f855691975bb ("xfrm6: Fix the nexthdr offset in[EOL]_decode_session6.") showed, xfrm_decode_session was originally intended[EOL]only for the receive path. IP6CB(skb)->nhoff is not set during[EOL]transmission. Therefore, set the cb field in the skb to 0 before[EOL]sending packets.