In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
While running the self-tests on a KASAN enabled kernel, I observed a
slab-out-of-bounds splat very similar to the one reported in
commit 821bbf79fe46 (“ipv6: Fix KASAN: slab-out-of-bounds Read in
fib6_nh_flush_exceptions”).
We additionally need to take care of fib6_metrics initialization
failure when the caller provides an nh.
The fix is similar, explicitly free the route instead of calling
fib6_info_release on a half-initialized object.
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "f88d8ea67fbd",
"lessThan": "830251361425",
"versionType": "git"
},
{
"status": "affected",
"version": "f88d8ea67fbd",
"lessThan": "ce8fafb68051",
"versionType": "git"
},
{
"status": "affected",
"version": "f88d8ea67fbd",
"lessThan": "115784bcccf1",
"versionType": "git"
},
{
"status": "affected",
"version": "f88d8ea67fbd",
"lessThan": "8fb4792f091e",
"versionType": "git"
}
],
"programFiles": [
"net/ipv6/route.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "5.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5.4.136",
"versionType": "custom",
"lessThanOrEqual": "5.4.*"
},
{
"status": "unaffected",
"version": "5.10.54",
"versionType": "custom",
"lessThanOrEqual": "5.10.*"
},
{
"status": "unaffected",
"version": "5.13.6",
"versionType": "custom",
"lessThanOrEqual": "5.13.*"
},
{
"status": "unaffected",
"version": "5.14",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"net/ipv6/route.c"
],
"defaultStatus": "affected"
}
]