CVE-2023-54094

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: prevent skb corruption on frag list segmentation<br /> <br /> Ian reported several skb corruptions triggered by rx-gro-list,<br /> collecting different oops alike:<br /> <br /> [ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0<br /> [ 62.631083] #PF: supervisor read access in kernel mode<br /> [ 62.636312] #PF: error_code(0x0000) - not-present page<br /> [ 62.641541] PGD 0 P4D 0<br /> [ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364<br /> [ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022<br /> [ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858<br /> ./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261<br /> net/ipv4/udp_offload.c:277)<br /> [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246<br /> [ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4<br /> [ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9<br /> [ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2<br /> [ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9<br /> [ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)<br /> knlGS:0000000000000000<br /> [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0<br /> [ 62.749948] Call Trace:<br /> [ 62.752498] <br /> [ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)<br /> [ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)<br /> [ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))<br /> [ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862<br /> net/core/dev.c:3659)<br /> [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)<br /> [ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)<br /> [ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)<br /> net/netfilter/core.c:626)<br /> [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)<br /> [ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)<br /> [ 62.829420] br_flood (net/bridge/br_forward.c:233)<br /> [ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)<br /> [ 62.837403] br_handle_frame (net/bridge/br_input.c:298<br /> net/bridge/br_input.c:416)<br /> [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)<br /> [ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)<br /> [ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638<br /> net/core/dev.c:5727)<br /> [ 62.876795] napi_complete_done (./include/linux/list.h:37<br /> ./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067)<br /> [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)<br /> [ 62.893534] __napi_poll (net/core/dev.c:6498)<br /> [ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89<br /> net/core/dev.c:6640)<br /> [ 62.905276] kthread (kernel/kthread.c:379)<br /> [ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)<br /> [ 62.917119] <br /> <br /> In the critical scenario, rx-gro-list GRO-ed packets are fed, via a<br /> bridge, both to the local input path and to an egress device (tun).<br /> <br /> The segmentation of such packets unsafely writes to the cloned skbs<br /> with shared heads.<br /> <br /> This change addresses the issue by uncloning as needed the<br /> to-be-segmented skbs.