CVE-2023-53667

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize<br /> <br /> Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than<br /> the calculated "min" value, but greater than zero, the logic sets<br /> tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in<br /> cdc_ncm_fill_tx_frame() where all the data is handled.<br /> <br /> For small values of dwNtbOutMaxSize the memory allocated during<br /> alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to<br /> how size is aligned at alloc time:<br /> size = SKB_DATA_ALIGN(size);<br /> size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));<br /> Thus we hit the same bug that we tried to squash with<br /> commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")<br /> <br /> Low values of dwNtbOutMaxSize do not cause an issue presently because at<br /> alloc_skb() time more memory (512b) is allocated than required for the<br /> SKB headers alone (320b), leaving some space (512b - 320b = 192b)<br /> for CDC data (172b).<br /> <br /> However, if more elements (for example 3 x u64 = [24b]) were added to<br /> one of the SKB header structs, say &amp;#39;struct skb_shared_info&amp;#39;,<br /> increasing its original size (320b [320b aligned]) to something larger<br /> (344b [384b aligned]), then suddenly the CDC data (172b) no longer<br /> fits in the spare SKB data area (512b - 384b = 128b).<br /> <br /> Consequently the SKB bounds checking semantics fails and panics:<br /> <br /> skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<br /> ------------[ cut here ]------------<br /> kernel BUG at net/core/skbuff.c:113!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN<br /> CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023<br /> Workqueue: mld mld_ifc_work<br /> RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]<br /> RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118<br /> [snip]<br /> Call Trace:<br /> <br /> skb_put+0x151/0x210 net/core/skbuff.c:2047<br /> skb_put_zero include/linux/skbuff.h:2422 [inline]<br /> cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]<br /> cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308<br /> cdc_ncm_tx_fixup+0xa3/0x100<br /> <br /> Deal with too low values of dwNtbOutMaxSize, clamp it in the range<br /> [USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure<br /> enough data space is allocated to handle CDC data by making sure<br /> dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.