CVE-2023-52610: net/sched: act_ct: fix skb leak and crash on ooo frags
In the Linux kernel, the following vulnerability has been resolved:
net/sched: actct: fix skb leak and crash on ooo frags
actct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in:
inetfragreasmprepare skbmorph
which is not straightforward.
However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time.
Fix the issue by removing skbget() before defragmentation. actct returns TCACTCONSUMED when defrag failed or in progress.
[0]: [ 843.804823] ------------[ cut here ]------------ [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskbexpandhead+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] [ 843.906922] ? diebody+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? dotrap+0xe2/0x110 [ 843.918911] ? pskbexpandhead+0x2ac/0x300 [ 843.922687] ? doerrortrap+0x65/0x80 [ 843.926342] ? pskbexpandhead+0x2ac/0x300 [ 843.929905] ? excinvalidop+0x50/0x60 [ 843.933398] ? pskbexpandhead+0x2ac/0x300 [ 843.936835] ? asmexcinvalidop+0x1a/0x20 [ 843.940226] ? pskbexpandhead+0x2ac/0x300 [ 843.943580] inetfragreasmprepare+0xd1/0x240 [ 843.946904] ipdefrag+0x5d4/0x870 [ 843.950132] nfcthandlefragments+0xec/0x130 [nfconntrack] [ 843.953334] tcfctact+0x252/0xd90 [actct] [ 843.956473] ? tcfmirredact+0x516/0x5a0 [actmirred] [ 843.959657] tcfactionexec+0xa1/0x160 [ 843.962823] flclassify+0x1db/0x1f0 [clsflower] [ 843.966010] ? skbclone+0x53/0xc0 [ 843.969173] tcfclassify+0x24d/0x420 [ 843.972333] tcrun+0x8f/0xf0 [ 843.975465] netifreceiveskbcore+0x67a/0x1080 [ 843.978634] ? devgroreceive+0x249/0x730 [ 843.981759] netifreceiveskblistcore+0x12d/0x260 [ 843.984869] netifreceiveskblistinternal+0x1cb/0x2f0 [ 843.987957] ? mlx5ehandlerxcqempwrqrep+0xfa/0x1a0 [mlx5core] [ 843.991170] napicompletedone+0x72/0x1a0 [ 843.994305] mlx5enapipoll+0x28c/0x6d0 [mlx5core] [ 843.997501] napipoll+0x25/0x1b0 [ 844.000627] netrxaction+0x256/0x330 [ 844.003705] dosoftirq+0xb3/0x29b [ 844.006718] irqexitrcu+0x9e/0xc0 [ 844.009672] commoninterrupt+0x86/0xa0 [ 844.012537] [ 844.015285] [ 844.017937] asmcommoninterrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpisafehalt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb ---truncated---
Other sources
In the Linux kernel, the following vulnerability has been resolved:
net/sched: actct: fix skb leak and crash on ooo frags
actct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in:
inetfragreasmprepare skbmorph
which is not straightforward.
However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the same time.
Fix the issue by removing skbget() before defragmentation. actct returns TCACTCONSUMED when defrag failed or in progress.
[0]: [ 843.804823] ------------[ cut here ]------------ [ 843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP: 0010:pskbexpandhead+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Call Trace: [ 843.902772] <IRQ> [ 843.906922] ? diebody+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ? dotrap+0xe2/0x110 [ 843.918911] ? pskbexpandhead+0x2ac/0x300 [ 843.922687] ? doerrortrap+0x65/0x80 [ 843.926342] ? pskbexpandhead+0x2ac/0x300 [ 843.929905] ? excinvalidop+0x50/0x60 [ 843.933398] ? pskbexpandhead+0x2ac/0x300 [ 843.936835] ? asmexcinvalidop+0x1a/0x20 [ 843.940226] ? pskbexpandhead+0x2ac/0x300 [ 843.943580] inetfragreasmprepare+0xd1/0x240 [ 843.946904] ipdefrag+0x5d4/0x870 [ 843.950132] nfcthandlefragments+0xec/0x130 [nfconntrack] [ 843.953334] tcfctact+0x252/0xd90 [actct] [ 843.956473] ? tcfmirredact+0x516/0x5a0 [actmirred] [ 843.959657] tcfactionexec+0xa1/0x160 [ 843.962823] flclassify+0x1db/0x1f0 [clsflower] [ 843.966010] ? skbclone+0x53/0xc0 [ 843.969173] tcfclassify+0x24d/0x420 [ 843.972333] tcrun+0x8f/0xf0 [ 843.975465] netifreceiveskbcore+0x67a/0x1080 [ 843.978634] ? devgroreceive+0x249/0x730 [ 843.981759] netifreceiveskblistcore+0x12d/0x260 [ 843.984869] netifreceiveskblistinternal+0x1cb/0x2f0 [ 843.987957] ? mlx5ehandlerxcqempwrqrep+0xfa/0x1a0 [mlx5core] [ 843.991170] napicompletedone+0x72/0x1a0 [ 843.994305] mlx5enapipoll+0x28c/0x6d0 [mlx5core] [ 843.997501] napipoll+0x25/0x1b0 [ 844.000627] netrxaction+0x256/0x330 [ 844.003705] dosoftirq+0xb3/0x29b [ 844.006718] irqexitrcu+0x9e/0xc0 [ 844.009672] commoninterrupt+0x86/0xa0 [ 844.012537] </IRQ> [ 844.015285] <TASK> [ 844.017937] asmcommoninterrupt+0x26/0x40 [ 844.020591] RIP: 0010:acpisafehalt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb ---truncated---
— NVD
In the Linux kernel, the following vulnerability has been resolved:
net/sched: actct: fix skb leak and crash on ooo frags
The Linux kernel CVE team has assigned CVE-2023-52610 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/20240318100758.2828621-10-lee@kernel.org/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52610?
CVE-2023-52610 has a severity rating that may impact system stability due to kernel crashes.
How do I fix CVE-2023-52610?
To fix CVE-2023-52610, upgrade to the necessary kernel versions specified in the vulnerability report.
Which Linux kernel versions are affected by CVE-2023-52610?
CVE-2023-52610 affects various versions of the Linux kernel before the patched versions including 5.15.148 and 6.1.75.
What type of issue does CVE-2023-52610 address?
CVE-2023-52610 addresses a skb leak and potential system crash caused by improper handling of out-of-order packet fragments.
Is there a known workaround for CVE-2023-52610?
No specific workaround is provided for CVE-2023-52610; the recommended solution is to apply the available kernel updates.