In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
If an AFPACKET socket is used to send packets through ipvlan and the default xmit function of the AFPACKET socket is changed from devqueuexmit() to packetdirectxmit() via setsockopt() with the option name of PACKETQDISCBYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:
================================================================= UG: KASAN: slab-out-of-bounds in ipvlanxmitmodel2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: rawsend Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: printaddressdescription.constprop.0+0x1d/0x160 printreport.cold+0x4f/0x112 kasanreport+0xa3/0x130 ipvlanxmitmodel2+0xdb/0x330 [ipvlan] ipvlanstartxmit+0x29/0xa0 [ipvlan] _devdirectxmit+0x2e2/0x380 packetdirectxmit+0x22/0x60 packetsnd+0x7c9/0xc40 socksendmsg+0x9a/0xa0 _syssendto+0x18a/0x230 _x64syssendto+0x74/0x90 dosyscall64+0x3b/0x90 entrySYSCALL64after_hwframe+0x63/0xcd
The root cause is: 1. packetsnd() only reset skb->macheader when sock->type is SOCKRAW and skb->protocol is not specified as in packetparse_headers()
In this case, skb->macheader is 65535 when ipvlanxmitmodel2() is called. So when ipvlanxmitmodel2() gets mac header with ethhdr() which use "skb->head + skb->mac_header", out-of-bound access occurs.
This patch replaces ethhdr() with skbethhdr() in ipvlanxmitmodel2() and reset mac header in multicast to solve this out-of-bound bug.