CVE-2023-52574: team: fix null-ptr-deref when team device type is changed
In the Linux kernel, the following vulnerability has been resolved:
team: fix null-ptr-deref when team device type is changed
Get a null-ptr-deref bug as follows with reproducer [1].
BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlandevhardheader+0x35/0x140 [8021q] ... Call Trace: <TASK> ? die+0x24/0x70 ? pagefaultoops+0x82/0x150 ? excpagefault+0x69/0x150 ? asmexcpagefault+0x26/0x30 ? vlandevhardheader+0x35/0x140 [8021q] ? vlandevhardheader+0x8e/0x140 [8021q] neighconnectedoutput+0xb2/0x100 ip6finishoutput2+0x1cb/0x520 ? nfhookslow+0x43/0xc0 ? ip6mtu+0x46/0x80 ip6finishoutput+0x2a/0xb0 mldsendpack+0x18f/0x250 mldifcwork+0x39/0x160 processonework+0x1e6/0x3f0 workerthread+0x4d/0x2f0 ? pfxworkerthread+0x10/0x10 kthread+0xe5/0x120 ? pfxkthread+0x10/0x10 retfromfork+0x34/0x50 ? pfxkthread+0x10/0x10 retfromforkasm+0x1b/0x30
[1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0
When enslave a vlan device to team device and team device type is changed from non-ether to ether, headerops of team device is changed to vlanheaderops. That is incorrect and will trigger null-ptr-deref for vlan->realdev in vlandevhardheader() because team device is not a vlan device.
Cache ethheaderops in teamsetup(), then assign cached headerops to headerops of team net device when its type is changed from non-ether to ether to fix the bug.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
team: fix null-ptr-deref when team device type is changed
The Linux kernel CVE team has assigned CVE-2023-52574 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024030256-CVE-2023-52574-a423@gregkh/T/#u
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when team device type is changed. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52574?
CVE-2023-52574 has been classified as potentially critical due to its kernel NULL pointer dereference vulnerability.
How do I fix CVE-2023-52574?
To fix CVE-2023-52574, upgrade your Linux kernel to the versions 4.14.327, 4.19.296, 5.4.258, 5.10.198, 5.15.134, 6.1.56, 6.5.6, or 6.6.
What is affected by CVE-2023-52574?
CVE-2023-52574 affects multiple versions of the Linux kernel, particularly those below 4.14.327, 4.19.296, 5.4.258, 5.10.198, 5.15.134, 6.1.56, 6.5.6, and 6.6.
What causes the CVE-2023-52574 vulnerability?
The CVE-2023-52574 vulnerability is caused by a null pointer dereference bug that occurs when the team device type is changed.
Is CVE-2023-52574 actively exploited?
As of now, there have been no confirmed reports of CVE-2023-52574 being actively exploited in the wild.