Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52580

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/03/2024
Last modified:
16/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/core: Fix ETH_P_1588 flow dissector<br /> <br /> When a PTP ethernet raw frame with a size of more than 256 bytes followed<br /> by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation<br /> is wrong. For example: hdr-&gt;message_length takes the wrong value (0xffff)<br /> and it does not replicate real header length. In this case, &amp;#39;nhoff&amp;#39; value<br /> was overridden and the PTP header was badly dissected. This leads to a<br /> kernel crash.<br /> <br /> net/core: flow_dissector<br /> net/core flow dissector nhoff = 0x0000000e<br /> net/core flow dissector hdr-&gt;message_length = 0x0000ffff<br /> net/core flow dissector nhoff = 0x0001000d (u16 overflow)<br /> ...<br /> skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88<br /> skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Using the size of the ptp_header struct will allow the corrected<br /> calculation of the nhoff value.<br /> <br /> net/core flow dissector nhoff = 0x0000000e<br /> net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)<br /> ...<br /> skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff<br /> skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Kernel trace:<br /> [ 74.984279] ------------[ cut here ]------------<br /> [ 74.989471] kernel BUG at include/linux/skbuff.h:2440!<br /> [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1<br /> [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023<br /> [ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130<br /> [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9<br /> [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297<br /> [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003<br /> [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300<br /> [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800<br /> [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010<br /> [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800<br /> [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000<br /> [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0<br /> [ 75.121980] PKRU: 55555554<br /> [ 75.125035] Call Trace:<br /> [ 75.127792] <br /> [ 75.130063] ? eth_get_headlen+0xa4/0xc0<br /> [ 75.134472] igc_process_skb_fields+0xcd/0x150<br /> [ 75.139461] igc_poll+0xc80/0x17b0<br /> [ 75.143272] __napi_poll+0x27/0x170<br /> [ 75.147192] net_rx_action+0x234/0x280<br /> [ 75.151409] __do_softirq+0xef/0x2f4<br /> [ 75.155424] irq_exit_rcu+0xc7/0x110<br /> [ 75.159432] common_interrupt+0xb8/0xd0<br /> [ 75.163748] <br /> [ 75.166112] <br /> [ 75.168473] asm_common_interrupt+0x22/0x40<br /> [ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350<br /> [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1<br /> [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202<br /> [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f<br /> [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20<br /> [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001<br /> [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980<br /> [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000<br /> [ 75.245635] ? <br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.12 (including) 5.15.134 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.56 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools