DEBIAN-CVE-2023-53369

In the Linux kernel, the following vulnerability has been resolved: net: dcb: choose correct policy to parse DCBATTRBCN The dcbnlbcnsetcfg uses erroneous policy to parse tb[DCBATTRBCN], which is introduced in commit 859ee3c43812 ("DCB: Add support for DCB BCN"). Please see the comment in below code static int dcbnlbcnsetcfg(...) { ... ret = nlaparsenesteddeprecated(..., dcbnlpfcupnest, .. ) // !!! dcbnlpfcupnest for attributes // DCBPFCUPATTR0 to DCBPFCUPATTRALL in enum dcbnlpfcupattrs ... for (i = DCBBCNATTRRP0; i <= DCBBCNATTRRP7; i++) { // !!! DCBBCNATTRRP0 to DCBBCNATTRRP7 in enum dcbnlbcnattrs ... valuebyte = nlagetu8(data[i]); ... } ... for (i = DCBBCNATTRBCNA0; i <= DCBBCNATTRRI; i++) { // !!! DCBBCNATTRBCNA0 to DCBBCNATTRRI in enum dcbnlbcnattrs ... valueint = nlagetu32(data[i]); ... } ... } That is, the nlaparsenesteddeprecated uses dcbnlpfcupnest attributes to parse nlattr defined in dcbnlpfcupattrs. But the following access code fetch each nlattr as dcbnlbcnattrs attributes. By looking up the associated nlapolicy for dcbnlbcnattrs. We can find the beginning part of these two policies are "same". static const struct nlapolicy dcbnlpfcupnest[...] = { [DCBPFCUPATTR0] = {.type = NLAU8}, [DCBPFCUPATTR1] = {.type = NLAU8}, [DCBPFCUPATTR2] = {.type = NLAU8}, [DCBPFCUPATTR3] = {.type = NLAU8}, [DCBPFCUPATTR4] = {.type = NLAU8}, [DCBPFCUPATTR5] = {.type = NLAU8}, [DCBPFCUPATTR6] = {.type = NLAU8}, [DCBPFCUPATTR7] = {.type = NLAU8}, [DCBPFCUPATTRALL] = {.type = NLAFLAG}, }; static const struct nlapolicy dcbnlbcnnest[...] = { [DCBBCNATTRRP0] = {.type = NLAU8}, [DCBBCNATTRRP1] = {.type = NLAU8}, [DCBBCNATTRRP2] = {.type = NLAU8}, [DCBBCNATTRRP3] = {.type = NLAU8}, [DCBBCNATTRRP4] = {.type = NLAU8}, [DCBBCNATTRRP5] = {.type = NLAU8}, [DCBBCNATTRRP6] = {.type = NLAU8}, [DCBBCNATTRRP7] = {.type = NLAU8}, [DCBBCNATTRRPALL] = {.type = NLAFLAG}, // from here is somewhat different [DCBBCNATTRBCNA0] = {.type = NLAU32}, ... [DCBBCNATTRALL] = {.type = NLAFLAG}, }; Therefore, the current code is buggy and this nlaparsenesteddeprecated could overflow the dcbnlpfcupnest and use the adjacent nlapolicy to parse attributes from DCBBCNATTRBCNA0. Hence use the correct policy dcbnlbcnnest to parse the nested tb[DCBATTR_BCN] TLV.