CVE-2023-54114
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment():
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160
The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom.
nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic
Use correct mac_offset to restore mac_header and get rid of nhoff.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < 2f88c8d38ecf5ed0273f99a067246899ba499eb2 | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < d2309e0cb27b6871b273fbc1725e93be62570d86 | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < 435855b0831b351cb72cb38369ee33122ce9574c | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < 02b20e0bc0c2628539e9e518dc342787c3332de2 | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < cdd8160dcda1fed2028a5f96575a84afc23aff7d | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < 6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < cb38e62922aa3991793344b5a5870e7291c74a44 | affected |
| Linux | Linux | c411ed854584a71b0e86ac3019b60e4789d88086 < c83b49383b595be50647f0c764a48c78b5f3c4f8 | affected |
| Linux | Linux | 4.14 | affected |
| Linux | Linux | 0 < 4.14 | unaffected |
| Linux | Linux | 4.14.316 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.284 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.244 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.181 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.113 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.30 <= 6.1.* | unaffected |
| Linux | Linux | 6.3.4 <= 6.3.* | unaffected |
| Linux | Linux | 6.4 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2
- https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86
- https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c
- https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2
- https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d
- https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9
- https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44
- https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.