CVE-2023-52574
Description
In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-2394.html
Vendor advisory: alma — https://bugzilla.redhat.com/2270118
Vendor advisory: alma — https://bugzilla.redhat.com/2270080
Vendor advisory: alma — https://bugzilla.redhat.com/2267795
Vendor advisory: alma — https://bugzilla.redhat.com/2267788
Vendor advisory: alma — https://bugzilla.redhat.com/2267758
Vendor advisory: alma — https://bugzilla.redhat.com/2267041
Vendor advisory: alma — https://bugzilla.redhat.com/2265646
Vendor advisory: alma — https://bugzilla.redhat.com/2265645
Vendor advisory: alma — https://bugzilla.redhat.com/2265520
Vendor advisory: alma — https://bugzilla.redhat.com/2265519
Vendor advisory: alma — https://bugzilla.redhat.com/2265518
Vendor advisory: alma — https://bugzilla.redhat.com/2265517
Vendor advisory: alma — https://bugzilla.redhat.com/2262127
Vendor advisory: alma — https://bugzilla.redhat.com/2262126
Vendor advisory: alma — https://bugzilla.redhat.com/2260005
Vendor advisory: alma — https://bugzilla.redhat.com/2258518
Vendor advisory: alma — https://bugzilla.redhat.com/2258013
Vendor advisory: alma — https://bugzilla.redhat.com/2255498
Vendor advisory: alma — https://bugzilla.redhat.com/2253034
Vendor advisory: alma — https://bugzilla.redhat.com/2252731
Vendor advisory: alma — https://bugzilla.redhat.com/2246980
Vendor advisory: alma — https://bugzilla.redhat.com/2239848
Vendor advisory: alma — https://bugzilla.redhat.com/2210024
Vendor advisory: alma — https://bugzilla.redhat.com/2188102
Vendor advisory: alma — https://bugzilla.redhat.com/2185519
Vendor advisory: alma — https://bugzilla.redhat.com/2133452
Vendor advisory: alma — https://bugzilla.redhat.com/2049700
Vendor advisory: alma — https://bugzilla.redhat.com/1918601
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-2950.html
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:2950
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-3138.html
Vendor advisory: alma — https://bugzilla.redhat.com/2272811
Vendor advisory: alma — https://bugzilla.redhat.com/2270883
Vendor advisory: alma — https://bugzilla.redhat.com/2270836
Vendor advisory: alma — https://bugzilla.redhat.com/2269217
Vendor advisory: alma — https://bugzilla.redhat.com/2269189
Vendor advisory: alma — https://bugzilla.redhat.com/2267761
Vendor advisory: alma — https://bugzilla.redhat.com/2267760
Vendor advisory: alma — https://bugzilla.redhat.com/2267750
Vendor advisory: alma — https://bugzilla.redhat.com/2267695
Vendor advisory: alma — https://bugzilla.redhat.com/2265653
Vendor advisory: alma — https://bugzilla.redhat.com/2265285
Vendor advisory: alma — https://bugzilla.redhat.com/2257979
Vendor advisory: alma — https://bugzilla.redhat.com/2257682
Vendor advisory: alma — https://bugzilla.redhat.com/2256822
Vendor advisory: alma — https://bugzilla.redhat.com/2256490
Vendor advisory: alma — https://bugzilla.redhat.com/2255283
Vendor advisory: alma — https://bugzilla.redhat.com/2254982
Vendor advisory: alma — https://bugzilla.redhat.com/2254961
Vendor advisory: alma — https://bugzilla.redhat.com/2253632
Vendor advisory: alma — https://bugzilla.redhat.com/2250043
Vendor advisory: alma — https://bugzilla.redhat.com/2244720
Vendor advisory: alma — https://bugzilla.redhat.com/2239847
Vendor advisory: alma — https://bugzilla.redhat.com/2239845
Vendor advisory: alma — https://bugzilla.redhat.com/2235306
Vendor advisory: alma — https://bugzilla.redhat.com/2231410
Vendor advisory: alma — https://bugzilla.redhat.com/2230042
Vendor advisory: alma — https://bugzilla.redhat.com/2226788
Vendor advisory: alma — https://bugzilla.redhat.com/2226787
Vendor advisory: alma — https://bugzilla.redhat.com/2226784
Vendor advisory: alma — https://bugzilla.redhat.com/2226777
Vendor advisory: alma — https://bugzilla.redhat.com/2221702
Vendor advisory: alma — https://bugzilla.redhat.com/2221463
Vendor advisory: alma — https://bugzilla.redhat.com/2221039
Vendor advisory: alma — https://bugzilla.redhat.com/2219359
Vendor advisory: alma — https://bugzilla.redhat.com/2218332
Vendor advisory: alma — https://bugzilla.redhat.com/2213132
Vendor advisory: alma — https://bugzilla.redhat.com/2179892
Vendor advisory: alma — https://bugzilla.redhat.com/2177759
Vendor advisory: alma — https://bugzilla.redhat.com/2151959
Vendor advisory: alma — https://bugzilla.redhat.com/2150953
Vendor advisory: alma — https://bugzilla.redhat.com/2044578
Vendor advisory: alma — https://bugzilla.redhat.com/2043520
Vendor advisory: alma — https://bugzilla.redhat.com/2039178
Vendor advisory: alma — https://bugzilla.redhat.com/1999589
Vendor advisory: alma — https://bugzilla.redhat.com/1888726
Vendor advisory: alma — https://bugzilla.redhat.com/1746732
Vendor advisory: alma — https://bugzilla.redhat.com/1731000
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:3138
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-52574
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-52574.html
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:2950
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:2394
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 6.1.64-1 |
| debian | bullseye | fixed | 5.10.205-1 |
| debian | forky | fixed | 6.5.6-1 |
| debian | sid | fixed | 6.5.6-1 |
| debian | trixie | fixed | 6.5.6-1 |
| almalinux | 8 | fixed | kernel-abi-stablelists-4.18.0-553.el8_10.noarch.rpm |
| almalinux | 9 | fixed | kernel-doc-5.14.0-427.13.1.el9_4.noarch.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:2394
- https://errata.rockylinux.org/RLSA-2024:2950
- https://www.suse.com/security/cve/CVE-2023-52574.html
- https://security-tracker.debian.org/tracker/CVE-2023-52574
- https://access.redhat.com/errata/RHSA-2024:3138
- https://bugzilla.redhat.com/1731000
- https://bugzilla.redhat.com/1746732
- https://bugzilla.redhat.com/1888726
- https://bugzilla.redhat.com/1999589
- https://bugzilla.redhat.com/2039178
- https://bugzilla.redhat.com/2043520
- https://bugzilla.redhat.com/2044578
- https://bugzilla.redhat.com/2150953
- https://bugzilla.redhat.com/2151959
- https://bugzilla.redhat.com/2177759
- https://bugzilla.redhat.com/2179892
- https://bugzilla.redhat.com/2213132
- https://bugzilla.redhat.com/2218332
- https://bugzilla.redhat.com/2219359
- https://bugzilla.redhat.com/2221039
- https://bugzilla.redhat.com/2221463
- https://bugzilla.redhat.com/2221702
- https://bugzilla.redhat.com/2226777
- https://bugzilla.redhat.com/2226784
- https://bugzilla.redhat.com/2226787
Verify integrity in audit chain (admin only). AS-IS.