CVE-2023-52580
Description
In the Linux kernel, the following vulnerability has been resolved: net/core: Fix ETH_P_1588 flow dissector When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation is wrong. For example: hdr->message_length takes the wrong value (0xffff) and it does not replicate real header length. In this case, 'nhoff' value was overridden and the PTP header was badly dissected. This leads to a kernel crash. net/core: flow_dissector net/core flow dissector nhoff = 0x0000000e net/core flow dissector hdr->message_length = 0x0000ffff net/core flow dissector nhoff = 0x0001000d (u16 overflow) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Using the size of the ptp_header struct will allow the corrected calculation of the nhoff value. net/core flow dissector nhoff = 0x0000000e net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Kernel trace: [ 74.984279] ------------[ cut here ]------------ [ 74.989471] kernel BUG at include/linux/skbuff.h:2440! [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 [ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130 [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 [ 75.121980] PKRU: 55555554 [ 75.125035] Call Trace: [ 75.127792] <IRQ> [ 75.130063] ? eth_get_headlen+0xa4/0xc0 [ 75.134472] igc_process_skb_fields+0xcd/0x150 [ 75.139461] igc_poll+0xc80/0x17b0 [ 75.143272] __napi_poll+0x27/0x170 [ 75.147192] net_rx_action+0x234/0x280 [ 75.151409] __do_softirq+0xef/0x2f4 [ 75.155424] irq_exit_rcu+0xc7/0x110 [ 75.159432] common_interrupt+0xb8/0xd0 [ 75.163748] </IRQ> [ 75.166112] <TASK> [ 75.168473] asm_common_interrupt+0x22/0x40 [ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350 [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 [ 75.245635] ? ---truncated---
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-2394.html
Vendor advisory: alma — https://bugzilla.redhat.com/2270118
Vendor advisory: alma — https://bugzilla.redhat.com/2270080
Vendor advisory: alma — https://bugzilla.redhat.com/2267795
Vendor advisory: alma — https://bugzilla.redhat.com/2267788
Vendor advisory: alma — https://bugzilla.redhat.com/2267758
Vendor advisory: alma — https://bugzilla.redhat.com/2267041
Vendor advisory: alma — https://bugzilla.redhat.com/2265646
Vendor advisory: alma — https://bugzilla.redhat.com/2265645
Vendor advisory: alma — https://bugzilla.redhat.com/2265520
Vendor advisory: alma — https://bugzilla.redhat.com/2265519
Vendor advisory: alma — https://bugzilla.redhat.com/2265518
Vendor advisory: alma — https://bugzilla.redhat.com/2265517
Vendor advisory: alma — https://bugzilla.redhat.com/2262127
Vendor advisory: alma — https://bugzilla.redhat.com/2262126
Vendor advisory: alma — https://bugzilla.redhat.com/2260005
Vendor advisory: alma — https://bugzilla.redhat.com/2258518
Vendor advisory: alma — https://bugzilla.redhat.com/2258013
Vendor advisory: alma — https://bugzilla.redhat.com/2255498
Vendor advisory: alma — https://bugzilla.redhat.com/2253034
Vendor advisory: alma — https://bugzilla.redhat.com/2252731
Vendor advisory: alma — https://bugzilla.redhat.com/2246980
Vendor advisory: alma — https://bugzilla.redhat.com/2239848
Vendor advisory: alma — https://bugzilla.redhat.com/2210024
Vendor advisory: alma — https://bugzilla.redhat.com/2188102
Vendor advisory: alma — https://bugzilla.redhat.com/2185519
Vendor advisory: alma — https://bugzilla.redhat.com/2133452
Vendor advisory: alma — https://bugzilla.redhat.com/2049700
Vendor advisory: alma — https://bugzilla.redhat.com/1918601
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-2950.html
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:2950
Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-3138.html
Vendor advisory: alma — https://bugzilla.redhat.com/2272811
Vendor advisory: alma — https://bugzilla.redhat.com/2270883
Vendor advisory: alma — https://bugzilla.redhat.com/2270836
Vendor advisory: alma — https://bugzilla.redhat.com/2269217
Vendor advisory: alma — https://bugzilla.redhat.com/2269189
Vendor advisory: alma — https://bugzilla.redhat.com/2267761
Vendor advisory: alma — https://bugzilla.redhat.com/2267760
Vendor advisory: alma — https://bugzilla.redhat.com/2267750
Vendor advisory: alma — https://bugzilla.redhat.com/2267695
Vendor advisory: alma — https://bugzilla.redhat.com/2265653
Vendor advisory: alma — https://bugzilla.redhat.com/2265285
Vendor advisory: alma — https://bugzilla.redhat.com/2257979
Vendor advisory: alma — https://bugzilla.redhat.com/2257682
Vendor advisory: alma — https://bugzilla.redhat.com/2256822
Vendor advisory: alma — https://bugzilla.redhat.com/2256490
Vendor advisory: alma — https://bugzilla.redhat.com/2255283
Vendor advisory: alma — https://bugzilla.redhat.com/2254982
Vendor advisory: alma — https://bugzilla.redhat.com/2254961
Vendor advisory: alma — https://bugzilla.redhat.com/2253632
Vendor advisory: alma — https://bugzilla.redhat.com/2250043
Vendor advisory: alma — https://bugzilla.redhat.com/2244720
Vendor advisory: alma — https://bugzilla.redhat.com/2239847
Vendor advisory: alma — https://bugzilla.redhat.com/2239845
Vendor advisory: alma — https://bugzilla.redhat.com/2235306
Vendor advisory: alma — https://bugzilla.redhat.com/2231410
Vendor advisory: alma — https://bugzilla.redhat.com/2230042
Vendor advisory: alma — https://bugzilla.redhat.com/2226788
Vendor advisory: alma — https://bugzilla.redhat.com/2226787
Vendor advisory: alma — https://bugzilla.redhat.com/2226784
Vendor advisory: alma — https://bugzilla.redhat.com/2226777
Vendor advisory: alma — https://bugzilla.redhat.com/2221702
Vendor advisory: alma — https://bugzilla.redhat.com/2221463
Vendor advisory: alma — https://bugzilla.redhat.com/2221039
Vendor advisory: alma — https://bugzilla.redhat.com/2219359
Vendor advisory: alma — https://bugzilla.redhat.com/2218332
Vendor advisory: alma — https://bugzilla.redhat.com/2213132
Vendor advisory: alma — https://bugzilla.redhat.com/2179892
Vendor advisory: alma — https://bugzilla.redhat.com/2177759
Vendor advisory: alma — https://bugzilla.redhat.com/2151959
Vendor advisory: alma — https://bugzilla.redhat.com/2150953
Vendor advisory: alma — https://bugzilla.redhat.com/2044578
Vendor advisory: alma — https://bugzilla.redhat.com/2043520
Vendor advisory: alma — https://bugzilla.redhat.com/2039178
Vendor advisory: alma — https://bugzilla.redhat.com/1999589
Vendor advisory: alma — https://bugzilla.redhat.com/1888726
Vendor advisory: alma — https://bugzilla.redhat.com/1746732
Vendor advisory: alma — https://bugzilla.redhat.com/1731000
Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:3138
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-52580
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-52580.html
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:2950
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:2394
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 6.1.64-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.5.6-1 |
| debian | sid | fixed | 6.5.6-1 |
| debian | trixie | fixed | 6.5.6-1 |
| almalinux | 8 | fixed | kernel-abi-stablelists-4.18.0-553.el8_10.noarch.rpm |
| almalinux | 9 | fixed | kernel-doc-5.14.0-427.13.1.el9_4.noarch.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:2394
- https://errata.rockylinux.org/RLSA-2024:2950
- https://www.suse.com/security/cve/CVE-2023-52580.html
- https://security-tracker.debian.org/tracker/CVE-2023-52580
- https://access.redhat.com/errata/RHSA-2024:3138
- https://bugzilla.redhat.com/1731000
- https://bugzilla.redhat.com/1746732
- https://bugzilla.redhat.com/1888726
- https://bugzilla.redhat.com/1999589
- https://bugzilla.redhat.com/2039178
- https://bugzilla.redhat.com/2043520
- https://bugzilla.redhat.com/2044578
- https://bugzilla.redhat.com/2150953
- https://bugzilla.redhat.com/2151959
- https://bugzilla.redhat.com/2177759
- https://bugzilla.redhat.com/2179892
- https://bugzilla.redhat.com/2213132
- https://bugzilla.redhat.com/2218332
- https://bugzilla.redhat.com/2219359
- https://bugzilla.redhat.com/2221039
- https://bugzilla.redhat.com/2221463
- https://bugzilla.redhat.com/2221702
- https://bugzilla.redhat.com/2226777
- https://bugzilla.redhat.com/2226784
- https://bugzilla.redhat.com/2226787
Verify integrity in audit chain (admin only). AS-IS.