FKIE_CVE-2023-53843

Vulnerability from fkie_nvd - Published: 2025-12-09 16:17 - Updated: 2025-12-09 18:37
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned ifindexes and let syzbot surface a latent problem in ovs. ovs does not validate ifindex, making it possible to create netdev ports with negative ifindex values. It's easy to repro with YNL: $ ./cli.py --spec netlink/specs/ovs_datapath.yaml \ --do new \ --json '{"upcall-pid": 1, "name":"my-dp"}' $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' $ ip link show -65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff ... Validate the inputs. Now the second command correctly returns: $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' lib.ynl.NlError: Netlink error: Numerical result out of range nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'} Accept 0 since it used to be silently ignored.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: reject negative ifindex\n\nRecent changes in net-next (commit 759ab1edb56c (\"net: store netdevs\nin an xarray\")) refactored the handling of pre-assigned ifindexes\nand let syzbot surface a latent problem in ovs. ovs does not validate\nifindex, making it possible to create netdev ports with negative\nifindex values. It\u0027s easy to repro with YNL:\n\n$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \\\n         --do new \\\n\t --json \u0027{\"upcall-pid\": 1, \"name\":\"my-dp\"}\u0027\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\n$ ip link show\n-65536: some-port0: \u003cBROADCAST,MULTICAST\u003e mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000\n    link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff\n...\n\nValidate the inputs. Now the second command correctly returns:\n\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\nlib.ynl.NlError: Netlink error: Numerical result out of range\nnl_len = 108 (92) nl_flags = 0x300 nl_type = 2\n\terror: -34\textack: {\u0027msg\u0027: \u0027integer out of range\u0027, \u0027unknown\u0027: [[type:4 len:36] b\u0027\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x03\\x00\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x08\\x00\\x01\\x00\\x08\\x00\\x00\\x00\u0027], \u0027bad-attr\u0027: \u0027.ifindex\u0027}\n\nAccept 0 since it used to be silently ignored."
    }
  ],
  "id": "CVE-2023-53843",
  "lastModified": "2025-12-09T18:37:13.640",
  "metrics": {},
  "published": "2025-12-09T16:17:24.613",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.