In the Linux kernel, the following vulnerability has been resolved:
nexthop: Fix division by zero while replacing a resilient group
The resilient nexthop group torture tests in fib_nexthop.sh exposed a possible division by zero while replacing a resilient group [1]. The division by zero occurs when the data path sees a resilient nexthop group with zero buckets.
The tests replace a resilient nexthop group in a loop while traffic is forwarded through it. The tests do not specify the number of buckets while performing the replacement, resulting in the kernel allocating a stub resilient table (i.e, 'struct nhrestable') with zero buckets.
This table should never be visible to the data path, but the old nexthop group (i.e., 'oldg') might still be used by the data path when the stub table is assigned to it.
Fix this by only assigning the stub table to the old nexthop group after making sure the group is no longer used by the data path.
Tested with fib_nexthops.sh:
Tests passed: 222 Tests failed: 0
[1] divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1850 Comm: ping Not tainted 5.14.0-custom-10271-ga86eb53057fe #1107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-4.fc34 04/01/2014 RIP: 0010:nexthopselectpath+0x2d2/0x1a80 [...] Call Trace: fibselectmultipath+0x79b/0x1530 fibselectpath+0x8fb/0x1c10 iprouteoutputkeyhashrcu+0x1198/0x2da0 iprouteoutputkeyhash+0x190/0x340 iprouteoutputflow+0x21/0x120 rawsendmsg+0x91d/0x2e10 inetsendmsg+0x9e/0xe0 _syssendto+0x23d/0x360 _x64syssendto+0xe1/0x1b0 dosyscall64+0x35/0x80 entrySYSCALL64after_hwframe+0x44/0xae