CVE-2023-53752
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/12/2025
Última modificación:
08/12/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: deal with integer overflows in kmalloc_reserve()<br />
<br />
Blamed commit changed:<br />
ptr = kmalloc(size);<br />
if (ptr)<br />
size = ksize(ptr);<br />
<br />
size = kmalloc_size_roundup(size);<br />
ptr = kmalloc(size);<br />
<br />
This allowed various crash as reported by syzbot [1]<br />
and Kyle Zeng.<br />
<br />
Problem is that if @size is bigger than 0x80000001,<br />
kmalloc_size_roundup(size) returns 2^32.<br />
<br />
kmalloc_reserve() uses a 32bit variable (obj_size),<br />
so 2^32 is truncated to 0.<br />
<br />
kmalloc(0) returns ZERO_SIZE_PTR which is not handled by<br />
skb allocations.<br />
<br />
Following trace can be triggered if a netdev->mtu is set<br />
close to 0x7fffffff<br />
<br />
We might in the future limit netdev->mtu to more sensible<br />
limit (like KMALLOC_MAX_SIZE).<br />
<br />
This patch is based on a syzbot report, and also a report<br />
and tentative fix from Kyle Zeng.<br />
<br />
[1]<br />
BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]<br />
BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br />
Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554<br />
<br />
CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023<br />
Call trace:<br />
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279<br />
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106<br />
print_report+0xe4/0x4b4 mm/kasan/report.c:398<br />
kasan_report+0x150/0x1ac mm/kasan/report.c:495<br />
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189<br />
memset+0x40/0x70 mm/kasan/shadow.c:44<br />
__build_skb_around net/core/skbuff.c:294 [inline]<br />
__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527<br />
alloc_skb include/linux/skbuff.h:1316 [inline]<br />
igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359<br />
add_grec+0x81c/0x1124 net/ipv4/igmp.c:534<br />
igmpv3_send_cr net/ipv4/igmp.c:667 [inline]<br />
igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810<br />
call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474<br />
expire_timers kernel/time/timer.c:1519 [inline]<br />
__run_timers+0x54c/0x710 kernel/time/timer.c:1790<br />
run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803<br />
_stext+0x380/0xfbc<br />
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79<br />
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891<br />
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84<br />
invoke_softirq kernel/softirq.c:437 [inline]<br />
__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683<br />
irq_exit_rcu+0x14/0x78 kernel/softirq.c:695<br />
el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717<br />
__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724<br />
el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729<br />
el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584