CVE-2023-54114

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()<br /> <br /> As the call trace shows, skb_panic was caused by wrong skb-&gt;mac_header<br /> in nsh_gso_segment():<br /> <br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1<br /> RIP: 0010:skb_panic+0xda/0xe0<br /> call Trace:<br /> skb_push+0x91/0xa0<br /> nsh_gso_segment+0x4f3/0x570<br /> skb_mac_gso_segment+0x19e/0x270<br /> __skb_gso_segment+0x1e8/0x3c0<br /> validate_xmit_skb+0x452/0x890<br /> validate_xmit_skb_list+0x99/0xd0<br /> sch_direct_xmit+0x294/0x7c0<br /> __dev_queue_xmit+0x16f0/0x1d70<br /> packet_xmit+0x185/0x210<br /> packet_snd+0xc15/0x1170<br /> packet_sendmsg+0x7b/0xa0<br /> sock_sendmsg+0x14f/0x160<br /> <br /> The root cause is:<br /> nsh_gso_segment() use skb-&gt;network_header - nhoff to reset mac_header<br /> in skb_gso_error_unwind() if inner-layer protocol gso fails.<br /> However, skb-&gt;network_header may be reset by inner-layer protocol<br /> gso function e.g. mpls_gso_segment. skb-&gt;mac_header reset by the<br /> inaccurate network_header will be larger than skb headroom.<br /> <br /> nsh_gso_segment<br /> nhoff = skb-&gt;network_header - skb-&gt;mac_header;<br /> __skb_pull(skb,nsh_len)<br /> skb_mac_gso_segment<br /> mpls_gso_segment<br /> skb_reset_network_header(skb);//skb-&gt;network_header+=nsh_len<br /> return -EINVAL;<br /> skb_gso_error_unwind<br /> skb_push(skb, nsh_len);<br /> skb-&gt;mac_header = skb-&gt;network_header - nhoff;<br /> // skb-&gt;mac_header &gt; skb-&gt;headroom, cause skb_push panic<br /> <br /> Use correct mac_offset to restore mac_header and get rid of nhoff.