| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52610: net/sched: act_ct: fix skb leak and crash on ooo frags |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| net/sched: act_ct: fix skb leak and crash on ooo frags |
| |
| act_ct adds skb->users before defragmentation. If frags arrive in order, |
| the last frag's reference is reset in: |
| |
| inet_frag_reasm_prepare |
| skb_morph |
| |
| which is not straightforward. |
| |
| However when frags arrive out of order, nobody unref the last frag, and |
| all frags are leaked. The situation is even worse, as initiating packet |
| capture can lead to a crash[0] when skb has been cloned and shared at the |
| same time. |
| |
| Fix the issue by removing skb_get() before defragmentation. act_ct |
| returns TC_ACT_CONSUMED when defrag failed or in progress. |
| |
| [0]: |
| [ 843.804823] ------------[ cut here ]------------ |
| [ 843.809659] kernel BUG at net/core/skbuff.c:2091! |
| [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP |
| [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 |
| [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 |
| [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 |
| [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 |
| [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 |
| [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 |
| [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 |
| [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 |
| [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 |
| [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 |
| [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 |
| [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 |
| [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| [ 843.894229] PKRU: 55555554 |
| [ 843.898539] Call Trace: |
| [ 843.902772] <IRQ> |
| [ 843.906922] ? __die_body+0x1e/0x60 |
| [ 843.911032] ? die+0x3c/0x60 |
| [ 843.915037] ? do_trap+0xe2/0x110 |
| [ 843.918911] ? pskb_expand_head+0x2ac/0x300 |
| [ 843.922687] ? do_error_trap+0x65/0x80 |
| [ 843.926342] ? pskb_expand_head+0x2ac/0x300 |
| [ 843.929905] ? exc_invalid_op+0x50/0x60 |
| [ 843.933398] ? pskb_expand_head+0x2ac/0x300 |
| [ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 |
| [ 843.940226] ? pskb_expand_head+0x2ac/0x300 |
| [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 |
| [ 843.946904] ip_defrag+0x5d4/0x870 |
| [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] |
| [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] |
| [ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] |
| [ 843.959657] tcf_action_exec+0xa1/0x160 |
| [ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] |
| [ 843.966010] ? skb_clone+0x53/0xc0 |
| [ 843.969173] tcf_classify+0x24d/0x420 |
| [ 843.972333] tc_run+0x8f/0xf0 |
| [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 |
| [ 843.978634] ? dev_gro_receive+0x249/0x730 |
| [ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 |
| [ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 |
| [ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] |
| [ 843.991170] napi_complete_done+0x72/0x1a0 |
| [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] |
| [ 843.997501] __napi_poll+0x25/0x1b0 |
| [ 844.000627] net_rx_action+0x256/0x330 |
| [ 844.003705] __do_softirq+0xb3/0x29b |
| [ 844.006718] irq_exit_rcu+0x9e/0xc0 |
| [ 844.009672] common_interrupt+0x86/0xa0 |
| [ 844.012537] </IRQ> |
| [ 844.015285] <TASK> |
| [ 844.017937] asm_common_interrupt+0x26/0x40 |
| [ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 |
| [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11 |
| [ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246 |
| [ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000 |
| [ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64 |
| [ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0 |
| [ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0 |
| [ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000 |
| [ 844.045819] acpi_idle_enter+0x7b/0xc0 |
| [ 844.048621] cpuidle_enter_state+0x7f/0x430 |
| [ 844.051451] cpuidle_enter+0x2d/0x40 |
| [ 844.054279] do_idle+0x1d4/0x240 |
| [ 844.057096] cpu_startup_entry+0x2a/0x30 |
| [ 844.059934] start_secondary+0x104/0x130 |
| [ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b |
| [ 844.065674] </TASK> |
| |
| The Linux kernel CVE team has assigned CVE-2023-52610 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.3 with commit b57dc7c13ea90e09ae15f821d2583fa0231b4935 and fixed in 5.15.148 with commit 172ba7d46c202e679f3ccb10264c67416aaeb1c4 |
| Issue introduced in 5.3 with commit b57dc7c13ea90e09ae15f821d2583fa0231b4935 and fixed in 6.1.75 with commit 0b5b831122fc3789fff75be433ba3e4dd7b779d4 |
| Issue introduced in 5.3 with commit b57dc7c13ea90e09ae15f821d2583fa0231b4935 and fixed in 6.6.14 with commit 73f7da5fd124f2cda9161e2e46114915e6e82e97 |
| Issue introduced in 5.3 with commit b57dc7c13ea90e09ae15f821d2583fa0231b4935 and fixed in 6.7.2 with commit f5346df0591d10bc948761ca854b1fae6d2ef441 |
| Issue introduced in 5.3 with commit b57dc7c13ea90e09ae15f821d2583fa0231b4935 and fixed in 6.8 with commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52610 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/sched/act_ct.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4 |
| https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4 |
| https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97 |
| https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441 |
| https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6 |
