4.3 KiB
CVE-2023-52610
Description
In the Linux kernel, the following vulnerability has been resolved:net/sched: act_ct: fix skb leak and crash on ooo fragsact_ct adds skb->users before defragmentation. If frags arrive in order,the last frag's reference is reset in: inet_frag_reasm_prepare skb_morphwhich is not straightforward.However when frags arrive out of order, nobody unref the last frag, andall frags are leaked. The situation is even worse, as initiating packetcapture can lead to a crash[0] when skb has been cloned and shared at thesame time.Fix the issue by removing skb_get() before defragmentation. act_ctreturns TC_ACT_CONSUMED when defrag failed or in progress.[0]:[ 843.804823] ------------[ cut here ]------------[ 843.809659] kernel BUG at net/core/skbuff.c:2091![ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[ 843.894229] PKRU: 55555554[ 843.898539] Call Trace:[ 843.902772] [ 843.906922] ? __die_body+0x1e/0x60[ 843.911032] ? die+0x3c/0x60[ 843.915037] ? do_trap+0xe2/0x110[ 843.918911] ? pskb_expand_head+0x2ac/0x300[ 843.922687] ? do_error_trap+0x65/0x80[ 843.926342] ? pskb_expand_head+0x2ac/0x300[ 843.929905] ? exc_invalid_op+0x50/0x60[ 843.933398] ? pskb_expand_head+0x2ac/0x300[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20[ 843.940226] ? pskb_expand_head+0x2ac/0x300[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240[ 843.946904] ip_defrag+0x5d4/0x870[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack][ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct][ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred][ 843.959657] tcf_action_exec+0xa1/0x160[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower][ 843.966010] ? skb_clone+0x53/0xc0[ 843.969173] tcf_classify+0x24d/0x420[ 843.972333] tc_run+0x8f/0xf0[ 843.975465] __netif_receive_skb_core+0x67a/0x1080[ 843.978634] ? dev_gro_receive+0x249/0x730[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core][ 843.991170] napi_complete_done+0x72/0x1a0[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core][ 843.997501] __napi_poll+0x25/0x1b0[ 844.000627] net_rx_action+0x256/0x330[ 844.003705] __do_softirq+0xb3/0x29b[ 844.006718] irq_exit_rcu+0x9e/0xc0[ 844.009672] common_interrupt+0x86/0xa0[ 844.012537] [ 844.015285] [ 844.017937] asm_common_interrupt+0x26/0x40[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb---truncated---
POC
Reference
No PoCs from references.