cve/published/2023/CVE-2023-52580.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52580: net/core: Fix ETH_P_1588 flow dissector

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/core: Fix ETH_P_1588 flow dissector

 When a PTP ethernet raw frame with a size of more than 256 bytes followed
 by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation
 is wrong. For example: hdr->message_length takes the wrong value (0xffff)
 and it does not replicate real header length. In this case, 'nhoff' value
 was overridden and the PTP header was badly dissected. This leads to a
 kernel crash.

 net/core: flow_dissector
 net/core flow dissector nhoff = 0x0000000e
 net/core flow dissector hdr->message_length = 0x0000ffff
 net/core flow dissector nhoff = 0x0001000d (u16 overflow)
 ...
 skb linear:   00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88
 skb frag:     00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

 Using the size of the ptp_header struct will allow the corrected
 calculation of the nhoff value.

 net/core flow dissector nhoff = 0x0000000e
 net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)
 ...
 skb linear:   00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff
 skb linear:   00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 skb linear:   00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 skb frag:     00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

 Kernel trace:
 [   74.984279] ------------[ cut here ]------------
 [   74.989471] kernel BUG at include/linux/skbuff.h:2440!
 [   74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
 [   75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G     U            5.15.85-intel-ese-standard-lts #1
 [   75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023
 [   75.026507] RIP: 0010:eth_type_trans+0xd0/0x130
 [   75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
 [   75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
 [   75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
 [   75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
 [   75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
 [   75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
 [   75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
 [   75.098464] FS:  0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
 [   75.107530] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
 [   75.121980] PKRU: 55555554
 [   75.125035] Call Trace:
 [   75.127792]  <IRQ>
 [   75.130063]  ? eth_get_headlen+0xa4/0xc0
 [   75.134472]  igc_process_skb_fields+0xcd/0x150
 [   75.139461]  igc_poll+0xc80/0x17b0
 [   75.143272]  __napi_poll+0x27/0x170
 [   75.147192]  net_rx_action+0x234/0x280
 [   75.151409]  __do_softirq+0xef/0x2f4
 [   75.155424]  irq_exit_rcu+0xc7/0x110
 [   75.159432]  common_interrupt+0xb8/0xd0
 [   75.163748]  </IRQ>
 [   75.166112]  <TASK>
 [   75.168473]  asm_common_interrupt+0x22/0x40
 [   75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350
 [   75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1
 [   75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202
 [   75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f
 [   75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20
 [   75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001
 [   75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980
 [   75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000
 [   75.245635]  ? cpuidle_enter_state+0xc7/0x350
 [   75.250518]  cpuidle_enter+0x29/0x40
 [   75.254539]  do_idle+0x1d9/0x260
 [   75.258166]  cpu_startup_entry+0x19/0x20
 [   75.262582]  secondary_startup_64_no_verify+0xc2/0xcb
 [   75.268259]  </TASK>
 [   75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs
 [   75.342736] ---[ end trace 3785f9f360400e3a ]---
 [   75.347913] RIP: 0010:eth_type_trans+0xd0/0x130
 [   75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
 [   75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
 [   75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
 [   75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
 [   75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
 [   75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
 [   75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
 [   75.419875] FS:  0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
 [   75.428946] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
 [   75.443410] PKRU: 55555554
 [   75.446477] Kernel panic - not syncing: Fatal exception in interrupt
 [   75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 [   75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

 The Linux kernel CVE team has assigned CVE-2023-52580 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 5.15.134 with commit f90a7b9586d72f907092078a9f394733ca502cc9
 	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.1.56 with commit 488ea2a3e2666022f79abfdd7d12e8305fc27a40
 	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.5.6 with commit 48e105a2a1a10adc21c0ae717969f5e8e990ba48
 	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.6 with commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52580
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/flow_dissector.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f90a7b9586d72f907092078a9f394733ca502cc9
 	https://git.kernel.org/stable/c/488ea2a3e2666022f79abfdd7d12e8305fc27a40
 	https://git.kernel.org/stable/c/48e105a2a1a10adc21c0ae717969f5e8e990ba48
 	https://git.kernel.org/stable/c/75ad80ed88a182ab2ad5513e448cf07b403af5c3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52580: net/core: Fix ETH_P_1588 flow dissector

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/core: Fix ETH_P_1588 flow dissector

	When a PTP ethernet raw frame with a size of more than 256 bytes followed
	by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation
	is wrong. For example: hdr->message_length takes the wrong value (0xffff)
	and it does not replicate real header length. In this case, 'nhoff' value
	was overridden and the PTP header was badly dissected. This leads to a
	kernel crash.

	net/core: flow_dissector
	net/core flow dissector nhoff = 0x0000000e
	net/core flow dissector hdr->message_length = 0x0000ffff
	net/core flow dissector nhoff = 0x0001000d (u16 overflow)
	...
	skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88
	skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

	Using the size of the ptp_header struct will allow the corrected
	calculation of the nhoff value.

	net/core flow dissector nhoff = 0x0000000e
	net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)
	...
	skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff
	skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
	skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
	skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

	Kernel trace:
	[ 74.984279] ------------[ cut here ]------------
	[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!
	[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
	[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1
	[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023
	[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130
	[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
	[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
	[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
	[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
	[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
	[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
	[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
	[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
	[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
	[ 75.121980] PKRU: 55555554
	[ 75.125035] Call Trace:
	[ 75.127792] <IRQ>
	[ 75.130063] ? eth_get_headlen+0xa4/0xc0
	[ 75.134472] igc_process_skb_fields+0xcd/0x150
	[ 75.139461] igc_poll+0xc80/0x17b0
	[ 75.143272] __napi_poll+0x27/0x170
	[ 75.147192] net_rx_action+0x234/0x280
	[ 75.151409] __do_softirq+0xef/0x2f4
	[ 75.155424] irq_exit_rcu+0xc7/0x110
	[ 75.159432] common_interrupt+0xb8/0xd0
	[ 75.163748] </IRQ>
	[ 75.166112] <TASK>
	[ 75.168473] asm_common_interrupt+0x22/0x40
	[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350
	[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1
	[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202
	[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f
	[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20
	[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001
	[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980
	[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000
	[ 75.245635] ? cpuidle_enter_state+0xc7/0x350
	[ 75.250518] cpuidle_enter+0x29/0x40
	[ 75.254539] do_idle+0x1d9/0x260
	[ 75.258166] cpu_startup_entry+0x19/0x20
	[ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb
	[ 75.268259] </TASK>
	[ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs
	[ 75.342736] ---[ end trace 3785f9f360400e3a ]---
	[ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130
	[ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
	[ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
	[ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
	[ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
	[ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
	[ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
	[ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
	[ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
	[ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
	[ 75.443410] PKRU: 55555554
	[ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt
	[ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
	[ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

	The Linux kernel CVE team has assigned CVE-2023-52580 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 5.15.134 with commit f90a7b9586d72f907092078a9f394733ca502cc9
	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.1.56 with commit 488ea2a3e2666022f79abfdd7d12e8305fc27a40
	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.5.6 with commit 48e105a2a1a10adc21c0ae717969f5e8e990ba48
	Issue introduced in 5.12 with commit 4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6 and fixed in 6.6 with commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52580
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/flow_dissector.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f90a7b9586d72f907092078a9f394733ca502cc9
	https://git.kernel.org/stable/c/488ea2a3e2666022f79abfdd7d12e8305fc27a40
	https://git.kernel.org/stable/c/48e105a2a1a10adc21c0ae717969f5e8e990ba48
	https://git.kernel.org/stable/c/75ad80ed88a182ab2ad5513e448cf07b403af5c3