CVE-2023-53660

Summary

In the Linux kernel, the following vulnerability has been resolved:

bpf, cpumap: Handle skb as well when clean up ptr_ring

The following warning was reported when running xdp_redirect_cpu with both skb-mode and stress-mode enabled:

————[ cut here ]———— Incorrect XDP memory type (-2128176192) usage WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405 Modules linked in: CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: events __cpu_map_entry_free RIP: 0010:__xdp_return+0x1e4/0x4a0 …… Call Trace: <TASK> ? show_regs+0x65/0x70 ? __warn+0xa5/0x240 ? __xdp_return+0x1e4/0x4a0 …… xdp_return_frame+0x4d/0x150 __cpu_map_entry_free+0xf9/0x230 process_one_work+0x6b0/0xb80 worker_thread+0x96/0x720 kthread+0x1a5/0x1f0 ret_from_fork+0x3a/0x70 ret_from_fork_asm+0x1b/0x30 </TASK>

The reason for the warning is twofold. One is due to the kthread cpu_map_kthread_run() is stopped prematurely. Another one is __cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in ptr_ring as XDP frames.

Prematurely-stopped kthread will be fixed by the preceding patch and ptr_ring will be empty when __cpu_map_ring_cleanup() is called. But as the comments in __cpu_map_ring_cleanup() said, handling and freeing skbs in ptr_ring as well to "catch any broken behaviour gracefully".

Affected Software

VendorProductVersion RangeStatus
LinuxLinux11941f8a85362f612df61f4aaab0e41b64d2111d < b58d34068fd9f96bfc7d389988dfaf9a92a8fe00affected
LinuxLinux11941f8a85362f612df61f4aaab0e41b64d2111d < cbd000451885801e9bbfd9cf7a7946806a85cb5eaffected
LinuxLinux11941f8a85362f612df61f4aaab0e41b64d2111d < 937345720d18f1ad006ba3d5dcb3fa121037b8a2affected
LinuxLinux11941f8a85362f612df61f4aaab0e41b64d2111d < 7c62b75cd1a792e14b037fa4f61f9b18914e7de1affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.126 <= 5.15.*unaffected
LinuxLinux6.1.45 <= 6.1.*unaffected
LinuxLinux6.4.10 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References