CVE-2023-53365

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip6mr: Fix skb_under_panic in ip6mr_cache_report()<br /> <br /> skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4<br /> head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:192!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN<br /> CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Workqueue: ipv6_addrconf addrconf_dad_work<br /> RIP: 0010:skb_panic+0x152/0x1d0<br /> Call Trace:<br /> <br /> skb_push+0xc4/0xe0<br /> ip6mr_cache_report+0xd69/0x19b0<br /> reg_vif_xmit+0x406/0x690<br /> dev_hard_start_xmit+0x17e/0x6e0<br /> __dev_queue_xmit+0x2d6a/0x3d20<br /> vlan_dev_hard_start_xmit+0x3ab/0x5c0<br /> dev_hard_start_xmit+0x17e/0x6e0<br /> __dev_queue_xmit+0x2d6a/0x3d20<br /> neigh_connected_output+0x3ed/0x570<br /> ip6_finish_output2+0x5b5/0x1950<br /> ip6_finish_output+0x693/0x11c0<br /> ip6_output+0x24b/0x880<br /> NF_HOOK.constprop.0+0xfd/0x530<br /> ndisc_send_skb+0x9db/0x1400<br /> ndisc_send_rs+0x12a/0x6c0<br /> addrconf_dad_completed+0x3c9/0xea0<br /> addrconf_dad_work+0x849/0x1420<br /> process_one_work+0xa22/0x16e0<br /> worker_thread+0x679/0x10c0<br /> ret_from_fork+0x28/0x60<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().<br /> reg_vif_xmit()<br /> ip6mr_cache_report()<br /> skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4<br /> And skb_push declared as:<br /> void *skb_push(struct sk_buff *skb, unsigned int len);<br /> skb-&gt;data -= len;<br /> //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850<br /> skb-&gt;data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.