CVE-2023-53192

In the Linux kernel, the following vulnerability has been resolved:

vxlan: Fix nexthop hash size

The nexthop code expects a 31 bit hash, such as what is returned by fibmultipathhash() and rt6multipathhash(). Passing the 32 bit hash returned by skbgethash() can lead to problems related to the fact that 'int hash' is a negative number when the MSB is set.

In the case of hash threshold nexthop groups, nexthopselectpathhthr() will disproportionately select the first nexthop group entry. In the case of resilient nexthop groups, nexthopselectpathres() may do an out of bounds access in nhbuckets[], for example: hash = -912054133 numnhbuckets = 2 bucketindex = 65535

which leads to the following panic:

BUG: unable to handle page fault for address: ffffc900025910c8 PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Workqueue: ipv6addrconf addrconfdadwork RIP: 0010:nexthopselectpath+0x197/0xbf0 Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85 RSP: 0018:ffff88810c36f260 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77 RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8 RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219 R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0 R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900 FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? die+0x23/0x70 ? pagefaultoops+0x1ee/0x5c0 ? _pfxisprefetch.constprop.0+0x10/0x10 ? _pfxpagefaultoops+0x10/0x10 ? searchbpfextables+0xfe/0x1c0 ? fixupexception+0x3b/0x470 ? excpagefault+0xf6/0x110 ? asmexcpagefault+0x26/0x30 ? nexthopselectpath+0x197/0xbf0 ? nexthopselectpath+0x197/0xbf0 ? lockisheldtype+0xe7/0x140 vxlanxmit+0x5b2/0x2340 ? _lockacquire+0x92b/0x3370 ? _pfxvxlanxmit+0x10/0x10 ? _pfxlockacquire+0x10/0x10 ? pfxregisterlockclass+0x10/0x10 ? skbnetworkprotocol+0xce/0x2d0 ? devhardstartxmit+0xca/0x350 ? _pfxvxlanxmit+0x10/0x10 devhardstartxmit+0xca/0x350 _devqueuexmit+0x513/0x1e20 ? _pfxdevqueuexmit+0x10/0x10 ? pfxlockrelease+0x10/0x10 ? markheldlocks+0x44/0x90 ? skbpush+0x4c/0x80 ? ethheader+0x81/0xe0 ? _pfxethheader+0x10/0x10 ? neighresolveoutput+0x215/0x310 ? ip6finishoutput2+0x2ba/0xc90 ip6finishoutput2+0x2ba/0xc90 ? lockrelease+0x236/0x3e0 ? ip6mtu+0xbb/0x240 ? _pfxip6finishoutput2+0x10/0x10 ? findheldlock+0x83/0xa0 ? lockisheldtype+0xe7/0x140 ip6finishoutput+0x1ee/0x780 ip6output+0x138/0x460 ? _pfxip6output+0x10/0x10 ? _pfxlockacquire+0x10/0x10 ? _pfxip6finishoutput+0x10/0x10 NFHOOK.constprop.0+0xc0/0x420 ? _pfxNFHOOK.constprop.0+0x10/0x10 ? ndiscsendskb+0x2c0/0x960 ? _pfxlockrelease+0x10/0x10 ? _localbhenableip+0x93/0x110 ? lockisheldtype+0xe7/0x140 ndiscsendskb+0x4be/0x960 ? _pfxndiscsendskb+0x10/0x10 ? markheldlocks+0x65/0x90 ? findheldlock+0x83/0xa0 ndiscsendns+0xb0/0x110 ? _pfxndiscsendns+0x10/0x10 addrconfdadwork+0x631/0x8e0 ? lockacquire+0x180/0x3f0 ? _pfxaddrconfdadwork+0x10/0x10 ? markheldlocks+0x24/0x90 processonework+0x582/0x9c0 ? _pfxprocessonework+0x10/0x10 ? _pfxdorawspinlock+0x10/0x10 ? markheldlocks+0x24/0x90 workerthread+0x93/0x630 ? _kthreadparkme+0xdc/0x100 ? _pfxworkerthread+0x10/0x10 kthread+0x1a5/0x1e0 ? _pfxkthread+0x10/0x10 retfromfork+0x34/0x60

---truncated---