CVE-2023-53333

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one<br /> <br /> Eric Dumazet says:<br /> nf_conntrack_dccp_packet() has an unique:<br /> <br /> dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &amp;_dh);<br /> <br /> And nothing more is &amp;#39;pulled&amp;#39; from the packet, depending on the content.<br /> dh-&gt;dccph_doff, and/or dh-&gt;dccph_x ...)<br /> So dccp_ack_seq() is happily reading stuff past the _dh buffer.<br /> <br /> BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0<br /> Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371<br /> [..]<br /> <br /> Fix this by increasing the stack buffer to also include room for<br /> the extra sequence numbers and all the known dccp packet type headers,<br /> then pull again after the initial validation of the basic header.<br /> <br /> While at it, mark packets invalid that lack 48bit sequence bit but<br /> where RFC says the type MUST use them.<br /> <br /> Compile tested only.<br /> <br /> v2: first skb_header_pointer() now needs to adjust the size to<br /> only pull the generic header. (Eric)<br /> <br /> Heads-up: I intend to remove dccp conntrack support later this year.