Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2023-54206

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
30/12/2025
Última modificación:
31/12/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: flower: fix filter idr initialization<br /> <br /> The cited commit moved idr initialization too early in fl_change() which<br /> allows concurrent users to access the filter that is still being<br /> initialized and is in inconsistent state, which, in turn, can cause NULL<br /> pointer dereference [0]. Since there is no obvious way to fix the ordering<br /> without reverting the whole cited commit, alternative approach taken to<br /> first insert NULL pointer into idr in order to allocate the handle but<br /> still cause fl_get() to return NULL and prevent concurrent users from<br /> seeing the filter while providing miss-to-action infrastructure with valid<br /> handle id early in fl_change().<br /> <br /> [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN<br /> [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5<br /> [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]<br /> [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57<br /> [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246<br /> [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900<br /> [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240<br /> [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900<br /> [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738<br /> [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000<br /> [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0<br /> [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 152.453588] Call Trace:<br /> [ 152.454032] <br /> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0<br /> [ 152.455109] ? sock_sendmsg+0xc5/0x190<br /> [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0<br /> [ 152.456320] ? ___sys_sendmsg+0xeb/0x170<br /> [ 152.456916] ? do_syscall_64+0x3d/0x90<br /> [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 152.458321] ? ___sys_sendmsg+0xeb/0x170<br /> [ 152.458958] ? __sys_sendmsg+0xb5/0x140<br /> [ 152.459564] ? do_syscall_64+0x3d/0x90<br /> [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]<br /> [ 152.461710] ? _raw_spin_lock+0x7a/0xd0<br /> [ 152.462299] ? _raw_read_lock_irq+0x30/0x30<br /> [ 152.462924] ? nla_put+0x15e/0x1c0<br /> [ 152.463480] fl_dump+0x228/0x650 [cls_flower]<br /> [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower]<br /> [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330<br /> [ 152.465592] ? nla_put+0x15e/0x1c0<br /> [ 152.466160] tcf_fill_node+0x515/0x9a0<br /> [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0<br /> [ 152.467463] ? __alloc_skb+0x13c/0x2a0<br /> [ 152.468067] ? __build_skb_around+0x330/0x330<br /> [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower]<br /> [ 152.469503] tc_del_tfilter+0x718/0x1330<br /> [ 152.470115] ? is_bpf_text_address+0xa/0x20<br /> [ 152.470765] ? tc_ctl_chain+0xee0/0xee0<br /> [ 152.471335] ? __kernel_text_address+0xe/0x30<br /> [ 152.471948] ? unwind_get_return_address+0x56/0xa0<br /> [ 152.472639] ? __thaw_task+0x150/0x150<br /> [ 152.473218] ? arch_stack_walk+0x98/0xf0<br /> [ 152.473839] ? __stack_depot_save+0x35/0x4c0<br /> [ 152.474501] ? stack_trace_save+0x91/0xc0<br /> [ 152.475119] ? security_capable+0x51/0x90<br /> [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0<br /> [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0<br /> [ 152.477042]<br /> ---truncated---

Impacto

Referencias a soluciones, herramientas e información