CVE-2023-52610
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/03/2024
Last modified:
10/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/sched: act_ct: fix skb leak and crash on ooo frags<br />
<br />
act_ct adds skb->users before defragmentation. If frags arrive in order,<br />
the last frag&#39;s reference is reset in:<br />
<br />
inet_frag_reasm_prepare<br />
skb_morph<br />
<br />
which is not straightforward.<br />
<br />
However when frags arrive out of order, nobody unref the last frag, and<br />
all frags are leaked. The situation is even worse, as initiating packet<br />
capture can lead to a crash[0] when skb has been cloned and shared at the<br />
same time.<br />
<br />
Fix the issue by removing skb_get() before defragmentation. act_ct<br />
returns TC_ACT_CONSUMED when defrag failed or in progress.<br />
<br />
[0]:<br />
[ 843.804823] ------------[ cut here ]------------<br />
[ 843.809659] kernel BUG at net/core/skbuff.c:2091!<br />
[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP<br />
[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2<br />
[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022<br />
[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300<br />
[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89<br />
[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202<br />
[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820<br />
[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00<br />
[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000<br />
[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880<br />
[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900<br />
[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000<br />
[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0<br />
[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
[ 843.894229] PKRU: 55555554<br />
[ 843.898539] Call Trace:<br />
[ 843.902772] <br />
[ 843.906922] ? __die_body+0x1e/0x60<br />
[ 843.911032] ? die+0x3c/0x60<br />
[ 843.915037] ? do_trap+0xe2/0x110<br />
[ 843.918911] ? pskb_expand_head+0x2ac/0x300<br />
[ 843.922687] ? do_error_trap+0x65/0x80<br />
[ 843.926342] ? pskb_expand_head+0x2ac/0x300<br />
[ 843.929905] ? exc_invalid_op+0x50/0x60<br />
[ 843.933398] ? pskb_expand_head+0x2ac/0x300<br />
[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20<br />
[ 843.940226] ? pskb_expand_head+0x2ac/0x300<br />
[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240<br />
[ 843.946904] ip_defrag+0x5d4/0x870<br />
[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]<br />
[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]<br />
[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]<br />
[ 843.959657] tcf_action_exec+0xa1/0x160<br />
[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]<br />
[ 843.966010] ? skb_clone+0x53/0xc0<br />
[ 843.969173] tcf_classify+0x24d/0x420<br />
[ 843.972333] tc_run+0x8f/0xf0<br />
[ 843.975465] __netif_receive_skb_core+0x67a/0x1080<br />
[ 843.978634] ? dev_gro_receive+0x249/0x730<br />
[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260<br />
[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0<br />
[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]<br />
[ 843.991170] napi_complete_done+0x72/0x1a0<br />
[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]<br />
[ 843.997501] __napi_poll+0x25/0x1b0<br />
[ 844.000627] net_rx_action+0x256/0x330<br />
[ 844.003705] __do_softirq+0xb3/0x29b<br />
[ 844.006718] irq_exit_rcu+0x9e/0xc0<br />
[ 844.009672] common_interrupt+0x86/0xa0<br />
[ 844.012537] <br />
[ 844.015285] <br />
[ 844.017937] asm_common_interrupt+0x26/0x40<br />
[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20<br />
[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.3 (including) | 5.15.148 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.75 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.7.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4
- https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4
- https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6
- https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97
- https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441
- https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4
- https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4
- https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6
- https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97
- https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441