CVE-2023-52778

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/05/2024
Last modified:
21/05/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: deal with large GSO size<br /> <br /> After the blamed commit below, the TCP sockets (and the MPTCP subflows)<br /> can build egress packets larger than 64K. That exceeds the maximum DSS<br /> data size, the length being misrepresent on the wire and the stream being<br /> corrupted, as later observed on the receiver:<br /> <br /> WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0<br /> CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4&amp;#39;.<br /> RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705<br /> RSP: 0018:ffffc90000006e80 EFLAGS: 00010246<br /> RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000<br /> netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4&amp;#39;.<br /> RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908<br /> RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a<br /> R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908<br /> R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29<br /> FS: 00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819<br /> subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409<br /> tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151<br /> tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098<br /> tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483<br /> tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749<br /> ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438<br /> ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483<br /> ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304<br /> __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532<br /> process_backlog+0x353/0x660 net/core/dev.c:5974<br /> __napi_poll+0xc6/0x5a0 net/core/dev.c:6536<br /> net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603<br /> __do_softirq+0x184/0x524 kernel/softirq.c:553<br /> do_softirq+0xdd/0x130 kernel/softirq.c:454<br /> <br /> Address the issue explicitly bounding the maximum GSO size to what MPTCP<br /> actually allows.

Impact