CVE-2023-52906

HIGH EPSS 16.0%
Published Aug 21, 20241y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 21, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mpls: Fix warning during failed attribute validation The 'TCA_MPLS_LABEL' attribute is of 'NLA_U32' type, but has a validation type of 'NLA_VALIDATE_FUNCTION'. This is an invalid combination according to the comment above 'struct nla_policy': " Meaning of `validate' field, use via NLA_POLICY_VALIDATE_FN: NLA_BINARY Validation function called for the attribute. All other Unused - but note that it's a union " This can trigger the warning [1] in nla_get_range_unsigned() when validation of the attribute fails. Despite being of 'NLA_U32' type, the associated 'min'/'max' fields in the policy are negative as they are aliased by the 'validate' field. Fix by changing the attribute type to 'NLA_BINARY' which is consistent with the above comment and all other users of NLA_POLICY_VALIDATE_FN(). As a result, move the length validation to the validation function. No regressions in MPLS tests: # ./tdc.py -f tc-tests/actions/mpls.json [...] # echo $? 0 [1] WARNING: CPU: 0 PID: 17743 at lib/nlattr.c:118 nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 Modules linked in: CPU: 0 PID: 17743 Comm: syz-executor.0 Not tainted 6.1.0-rc8 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:nla_get_range_unsigned+0x1d8/0x1e0 lib/nlattr.c:117 [...] Call Trace: <TASK> __netlink_policy_dump_write_attr+0x23d/0x990 net/netlink/policy.c:310 netlink_policy_dump_write_attr+0x22/0x30 net/netlink/policy.c:411 netlink_ack_tlv_fill net/netlink/af_netlink.c:2454 [inline] netlink_ack+0x546/0x760 net/netlink/af_netlink.c:2506 netlink_rcv_skb+0x1b7/0x240 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2482 ___sys_sendmsg net/socket.c:2536 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2565 __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg net/socket.c:2572 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
16.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥5.3  –  <5.4.229
linuxlinux_kernel*≥5.5  –  <5.10.164
linuxlinux_kernel*≥5.11  –  <5.15.89
linuxlinux_kernel*≥5.16  –  <6.1.7
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2b157c3c5d6b8ddca48d53c9e662032f65af8d61
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/453277feb41c2235cf2c0de9209eef962c401457
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a97b544b98e44f596219ebb290fd2ba2fd5d644
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e17f99220d111ea031b44153fdfe364b0024ff2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9e2c38827cdc6fdd3bb375c8607fc04d289756f9
    Patch