admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 17:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2023/CVE-2023-526xx/CVE-2023-52610.json
cad-safe-bot 7ab230f046 Auto-Update: 2025-03-16T03:00:19.723046+00:00
2025-03-16 03:03:50 +00:00

176 lines
13 KiB
JSON
Raw Blame History

{
"id": "CVE-2023-52610",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-03-18T11:15:07.943",
"lastModified": "2025-03-10T15:39:09.893",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\n\n inet_frag_reasm_prepare\n skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[ 843.804823] ------------[ cut here ]------------\n[ 843.809659] kernel BUG at net/core/skbuff.c:2091!\n[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 843.894229] PKRU: 55555554\n[ 843.898539] Call Trace:\n[ 843.902772] <IRQ>\n[ 843.906922] ? __die_body+0x1e/0x60\n[ 843.911032] ? die+0x3c/0x60\n[ 843.915037] ? do_trap+0xe2/0x110\n[ 843.918911] ? pskb_expand_head+0x2ac/0x300\n[ 843.922687] ? do_error_trap+0x65/0x80\n[ 843.926342] ? pskb_expand_head+0x2ac/0x300\n[ 843.929905] ? exc_invalid_op+0x50/0x60\n[ 843.933398] ? pskb_expand_head+0x2ac/0x300\n[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20\n[ 843.940226] ? pskb_expand_head+0x2ac/0x300\n[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240\n[ 843.946904] ip_defrag+0x5d4/0x870\n[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]\n[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[ 843.959657] tcf_action_exec+0xa1/0x160\n[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]\n[ 843.966010] ? skb_clone+0x53/0xc0\n[ 843.969173] tcf_classify+0x24d/0x420\n[ 843.972333] tc_run+0x8f/0xf0\n[ 843.975465] __netif_receive_skb_core+0x67a/0x1080\n[ 843.978634] ? dev_gro_receive+0x249/0x730\n[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260\n[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0\n[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[ 843.991170] napi_complete_done+0x72/0x1a0\n[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[ 843.997501] __napi_poll+0x25/0x1b0\n[ 844.000627] net_rx_action+0x256/0x330\n[ 844.003705] __do_softirq+0xb3/0x29b\n[ 844.006718] irq_exit_rcu+0x9e/0xc0\n[ 844.009672] common_interrupt+0x86/0xa0\n[ 844.012537] </IRQ>\n[ 844.015285] <TASK>\n[ 844.017937] asm_common_interrupt+0x26/0x40\n[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/sched: act_ct: corrige la fuga de skb y falla en ooo frags act_ct agrega usuarios de skb-&gt; antes de la desfragmentaci\u00f3n. Si los fragmentos llegan en orden, la referencia del \u00faltimo fragmento se restablece en: inet_frag_reasm_prepare skb_morph, lo cual no es sencillo. Sin embargo, cuando los fragmentos llegan desordenados, nadie elimina la referencia del \u00faltimo fragmento y todos los fragmentos se filtran. La situaci\u00f3n es a\u00fan peor, ya que iniciar la captura de paquetes puede provocar una falla[0] cuando skb ha sido clonado y compartido al mismo tiempo. Solucione el problema eliminando skb_get() antes de la desfragmentaci\u00f3n. act_ct devuelve TC_ACT_CONSUMED cuando la desfragmentaci\u00f3n falla o est\u00e1 en progreso. [0]: [843.804823] ------------[ cortar aqu\u00ed ]------------ [ 843.809659] ERROR del kernel en net/core/skbuff.c:2091 ! [843.814516] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: cargado Contaminado: GS 6.7.0-rc3 #2 [ 843.824107] Nombre de hardware: XFUSION 1288H V6/ BC13MBSBD, BIOS 1.29 25/11/2022 [ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] C\u00f3digo: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 0 0 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b &lt;0f&gt; 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0 018:ffffc9000cce07c0 EFLAGS: 00010202 [843.848524] RAX: 00000000000000002 RBX: ffff88811a211d00 RCX: 00000000000000820 [843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 00000000000000000 [ 843.862584] R10: 00 00000000000000 R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680] FS: 0000000000000000(0 000) GS:ffff889ffffc0000(0000) knlGS:00000000000000000 [ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 843.880778] CR2 : 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 [ 843.885336] DR0: 00000000000000000 DR1: 00000000000000000 DR2: 000000000000000 00 [ 843.889809] DR3: 00000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [ 843.898539] Rastreo de llamadas: [ 843.90277 2] [843.906922] ? __die_body+0x1e/0x60 [ 843.911032] ? morir+0x3c/0x60 [843.915037]? do_trap+0xe2/0x110 [843.918911]? pskb_expand_head+0x2ac/0x300 [843.922687]? do_error_trap+0x65/0x80 [843.926342]? pskb_expand_head+0x2ac/0x300 [843.929905]? exc_invalid_op+0x50/0x60 [843.933398]? pskb_expand_head+0x2ac/0x300 [843.936835]? asm_exc_invalid_op+0x1a/0x20 [843.940226]? pskb_expand_head+0x2ac/0x300 [ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904] ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conn pista] [843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [843.956473]? tcf_mirred_act+0x516/0x5a0 [act_mirred] [843.959657] tcf_action_exec+0xa1/0x160 [843.962823] fl_classify+0x1db/0x1f0 [cls_flower] [843.966010] ? skb_clone+0x53/0xc0 [ 843.969173] tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465] __netif_receive_skb_core+0x67a/0x1080 [ 843.978634 ] ? dev_gro_receive+0x249/0x730 [843.981759] __netif_receive_skb_list_core+0x12d/0x260 [843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 [843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170] napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627] net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/ 0x29b [ 844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0 [ 844.012537] [ 844.015285] [ 844.017937] asm_common_interrupt+0x26 /0x40 [844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] ---truncado ---"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-401"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3",
"versionEndExcluding": "5.15.148",
"matchCriteriaId": "8F81F20B-C3A0-4AD7-B13E-118B3FDB8019"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16",
"versionEndExcluding": "6.1.75",
"matchCriteriaId": "070D0ED3-90D0-4F95-B1FF-57D7F46F332D"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.14",
"matchCriteriaId": "5C6B50A6-3D8B-4CE2-BDCC-A098609CBA14"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.7.2",
"matchCriteriaId": "7229C448-E0C9-488B-8939-36BA5254065E"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441",
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink