In the Linux kernel, the following vulnerability has been resolved:
net: netlink: af_netlink: Prevent empty skb by adding a check on len.
Adding a check on len parameter to avoid empty skb. This prevents a division error in netemenqueue function which is caused when skb->len=0 and skb->datalen=0 in the randomized corruption step as shown below.
skb->data[prandomu32() % skbheadlen(skb)] ^= 1<<(prandom_u32() % 8);
Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 343.216110] netem: version 1.3 [ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+ [ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 343.238707] RIP: 0010:netemenqueue+0x1590/0x33c0 [schnetem] [ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Call Trace: [ 343.250423] <TASK> [ 343.250713] ? memcpy+0x4d/0x60 [ 343.251162] ? neteminit+0xa0/0xa0 [schnetem] [ 343.251795] ? sanitizercovtracepc+0x21/0x60 [ 343.252443] netemenqueue+0xe28/0x33c0 [schnetem] [ 343.253102] ? stacktracesave+0x87/0xb0 [ 343.253655] ? filterirqstacks+0xb0/0xb0 [ 343.254220] ? neteminit+0xa0/0xa0 [schnetem] [ 343.254837] ? _kasancheckwrite+0x14/0x20 [ 343.255418] ? rawspinlock+0x88/0xd6 [ 343.255953] devqdiscenqueue+0x50/0x180 [ 343.256508] _devqueuexmit+0x1a7e/0x3090 [ 343.257083] ? netdevcorepicktx+0x300/0x300 [ 343.257690] ? checkkcovmode+0x10/0x40 [ 343.258219] ? _rawspinunlockirqrestore+0x29/0x40 [ 343.258899] ? _kasaninitslabobj+0x24/0x30 [ 343.259529] ? setupobject.isra.71+0x23/0x90 [ 343.260121] ? newslab+0x26e/0x4b0 [ 343.260609] ? kasanpoison+0x3a/0x50 [ 343.261118] ? kasanunpoison+0x28/0x50 [ 343.261637] ? _kasanslaballoc+0x71/0x90 [ 343.262214] ? memcpy+0x4d/0x60 [ 343.262674] ? writecompdata+0x2f/0x90 [ 343.263209] ? _kasancheckwrite+0x14/0x20 [ 343.263802] ? _skbclone+0x5d6/0x840 [ 343.264329] ? _sanitizercovtracepc+0x21/0x60 [ 343.264958] devqueuexmit+0x1c/0x20 [ 343.265470] netlinkdelivertap+0x652/0x9c0 [ 343.266067] netlinkunicast+0x5a0/0x7f0 [ 343.266608] ? netlinkattachskb+0x860/0x860 [ 343.267183] ? _sanitizercovtracepc+0x21/0x60 [ 343.267820] ? writecompdata+0x2f/0x90 [ 343.268367] netlinksendmsg+0x922/0xe80 [ 343.268899] ? netlinkunicast+0x7f0/0x7f0 [ 343.269472] ? _sanitizercovtracepc+0x21/0x60 [ 343.270099] ? writecompdata+0x2f/0x90 [ 343.270644] ? netlinkunicast+0x7f0/0x7f0 [ 343.271210] socksendmsg+0x155/0x190 [ 343.271721] syssendmsg+0x75f/0x8f0 [ 343.272262] ? kernelsendmsg+0x60/0x60 [ 343.272788] ? writecompdata+0x2f/0x90 [ 343.273332] ? writecompdata+0x2f/0x90 [ 343.273869] _syssendmsg+0x10f/0x190 [ 343.274405] ? sendmsgcopymsghdr+0x80/0x80 [ 343.274984] ? slabpostallochook+0x70/0x230 [ 343.275597] ? futexwaitsetup+0x240/0x240 [ 343.276175] ? securityfilealloc+0x3e/0x170 [ 343.276779] ? writecompd ---truncated---