CVE-2023-53752

In the Linux kernel, the following vulnerability has been resolved:

net: deal with integer overflows in kmalloc_reserve()

Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr);

size = kmalloc_size_roundup(size);
ptr = kmalloc(size);

This allowed various crash as reported by syzbot [1] and Kyle Zeng.

Problem is that if @size is bigger than 0x80000001, kmallocsizeroundup(size) returns 2^32.

kmallocreserve() uses a 32bit variable (objsize), so 2^32 is truncated to 0.

kmalloc(0) returns ZEROSIZEPTR which is not handled by skb allocations.

Following trace can be triggered if a netdev->mtu is set close to 0x7fffffff

We might in the future limit netdev->mtu to more sensible limit (like KMALLOCMAXSIZE).

This patch is based on a syzbot report, and also a report and tentative fix from Kyle Zeng.

[1] BUG: KASAN: user-memory-access in __buildskbaround net/core/skbuff.c:294 [inline] BUG: KASAN: user-memory-access in _allocskb+0x3c4/0x6e8 net/core/skbuff.c:527 Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554

CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Call trace: dumpbacktrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279 showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286 __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0x120/0x1a0 lib/dumpstack.c:106 printreport+0xe4/0x4b4 mm/kasan/report.c:398 kasanreport+0x150/0x1ac mm/kasan/report.c:495 kasancheckrange+0x264/0x2a4 mm/kasan/generic.c:189 memset+0x40/0x70 mm/kasan/shadow.c:44 __buildskbaround net/core/skbuff.c:294 [inline] __allocskb+0x3c4/0x6e8 net/core/skbuff.c:527 allocskb include/linux/skbuff.h:1316 [inline] igmpv3newpack+0x104/0x1088 net/ipv4/igmp.c:359 addgrec+0x81c/0x1124 net/ipv4/igmp.c:534 igmpv3sendcr net/ipv4/igmp.c:667 [inline] igmpifctimerexpire+0x1b0/0x1008 net/ipv4/igmp.c:810 calltimerfn+0x1c0/0x9f0 kernel/time/timer.c:1474 expiretimers kernel/time/timer.c:1519 [inline] __runtimers+0x54c/0x710 kernel/time/timer.c:1790 runtimer_softirq+0x28/0x4c kernel/time/timer.c:1803 _stext+0x380/0xfbc ____dosoftirq+0x14/0x20 arch/arm64/kernel/irq.c:79 callonirqstack+0x24/0x4c arch/arm64/kernel/entry.S:891 dosoftirqownstack+0x20/0x2c arch/arm64/kernel/irq.c:84 invokesoftirq kernel/softirq.c:437 [inline] __irqexitrcu+0x1c0/0x4cc kernel/softirq.c:683 irq_exitrcu+0x14/0x78 kernel/softirq.c:695 el0interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717 __el0irqhandlercommon+0x18/0x24 arch/arm64/kernel/entry-common.c:724 el0t64irqhandler+0x10/0x1c arch/arm64/kernel/entry-common.c:729 el0t64irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584