CVE-2023-53109
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
02/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: tunnels: annotate lockless accesses to dev->needed_headroom<br />
<br />
IP tunnels can apparently update dev->needed_headroom<br />
in their xmit path.<br />
<br />
This patch takes care of three tunnels xmit, and also the<br />
core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA()<br />
helpers.<br />
<br />
More changes might be needed for completeness.<br />
<br />
BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit<br />
<br />
read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1:<br />
ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803<br />
__gre_xmit net/ipv4/ip_gre.c:469 [inline]<br />
ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br />
__netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br />
xmit_one net/core/dev.c:3580 [inline]<br />
dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br />
__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br />
dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br />
neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br />
neigh_output include/net/neighbour.h:546 [inline]<br />
ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br />
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br />
NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br />
ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br />
dst_output include/net/dst.h:444 [inline]<br />
ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br />
iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br />
ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br />
__gre_xmit net/ipv4/ip_gre.c:469 [inline]<br />
ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br />
__netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br />
xmit_one net/core/dev.c:3580 [inline]<br />
dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br />
__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br />
dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br />
neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br />
neigh_output include/net/neighbour.h:546 [inline]<br />
ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br />
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br />
NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br />
ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br />
dst_output include/net/dst.h:444 [inline]<br />
ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br />
iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br />
ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br />
__gre_xmit net/ipv4/ip_gre.c:469 [inline]<br />
ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br />
__netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br />
xmit_one net/core/dev.c:3580 [inline]<br />
dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br />
__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br />
dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br />
neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br />
neigh_output include/net/neighbour.h:546 [inline]<br />
ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br />
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br />
NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br />
ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430<br />
dst_output include/net/dst.h:444 [inline]<br />
ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126<br />
iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82<br />
ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813<br />
__gre_xmit net/ipv4/ip_gre.c:469 [inline]<br />
ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661<br />
__netdev_start_xmit include/linux/netdevice.h:4881 [inline]<br />
netdev_start_xmit include/linux/netdevice.h:4895 [inline]<br />
xmit_one net/core/dev.c:3580 [inline]<br />
dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596<br />
__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246<br />
dev_queue_xmit include/linux/netdevice.h:3051 [inline]<br />
neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623<br />
neigh_output include/net/neighbour.h:546 [inline]<br />
ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228<br />
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316<br />
NF_HOOK_COND include/linux/netfilter.h:291 [inline]<br />
ip_output+0xe5/0x1b0 net/i<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4b397c06cb987935b1b097336532aa6b4210e091
- https://git.kernel.org/stable/c/51f3bd3765bc5ca4583af07a00833da00d2ace1d
- https://git.kernel.org/stable/c/5aaab217c8f5387b9c5fff9e940d80f135e04366
- https://git.kernel.org/stable/c/8e206f66d824b3b28a7f9ee1366dfc79a937bb46
- https://git.kernel.org/stable/c/9b86a8702b042ee4e15d2d46375be873a6a8834f
- https://git.kernel.org/stable/c/a69b72b57b7d269e833e520ba7500d556e8189b6
- https://git.kernel.org/stable/c/be59b87ee4aed81db7c10e44f603866a0ac3ca5d
- https://git.kernel.org/stable/c/e0a557fc1daf5c1086e47150a4571aebadbb62be