lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025091857-CVE-2023-53433-fc43@gregkh>
Date: Thu, 18 Sep 2025 18:04:24 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53433: net: add vlan_get_protocol_and_depth() helper

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net: add vlan_get_protocol_and_depth() helper

Before blamed commit, pskb_may_pull() was used instead
of skb_header_pointer() in __vlan_get_protocol() and friends.

Few callers depended on skb->head being populated with MAC header,
syzbot caught one of them (skb_mac_gso_segment())

Add vlan_get_protocol_and_depth() to make the intent clearer
and use it where sensible.

This is a more generic fix than commit e9d3f80935b6
("net/af_packet: make sure to pull mac header") which was
dealing with a similar issue.

kernel BUG at include/linux/skbuff.h:2655 !
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline]
RIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136
Code: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90001bd7520 EFLAGS: 00010286
RAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012
R13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7
FS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
[<ffffffff847018dd>] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419
[<ffffffff8470398a>] skb_gso_segment include/linux/netdevice.h:4819 [inline]
[<ffffffff8470398a>] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725
[<ffffffff84707042>] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313
[<ffffffff851a9ec7>] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029
[<ffffffff851b4a82>] packet_snd net/packet/af_packet.c:3111 [inline]
[<ffffffff851b4a82>] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142
[<ffffffff84669a12>] sock_sendmsg_nosec net/socket.c:716 [inline]
[<ffffffff84669a12>] sock_sendmsg net/socket.c:736 [inline]
[<ffffffff84669a12>] __sys_sendto+0x472/0x5f0 net/socket.c:2139
[<ffffffff84669c75>] __do_sys_sendto net/socket.c:2151 [inline]
[<ffffffff84669c75>] __se_sys_sendto net/socket.c:2147 [inline]
[<ffffffff84669c75>] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147
[<ffffffff8551d40f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8551d40f>] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
[<ffffffff85600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

The Linux kernel CVE team has assigned CVE-2023-53433 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.53 with commit 30d015f5ecd9ce5706ad18a4a0649f364e3e6f7b and fixed in 5.4.244 with commit 4188c5269475ac59d467b5814c5df02756f6d907
	Issue introduced in 5.8 with commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 and fixed in 5.10.181 with commit 34a5ee69ec6273f0aee79e7ce4d14afc83ca8122
	Issue introduced in 5.8 with commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 and fixed in 5.15.113 with commit 9dd9ffe118415b4ac1cebac43443000072bc8f46
	Issue introduced in 5.8 with commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 and fixed in 6.1.30 with commit 55caf900e13cd04466def08173a14b41d18c19c3
	Issue introduced in 5.8 with commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 and fixed in 6.3.4 with commit 15eaeb8941f12fcc2713c4bf6eb8f76a37854b4d
	Issue introduced in 5.8 with commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 and fixed in 6.4 with commit 4063384ef762cc5946fc7a3f89879e76c6ec51e2
	Issue introduced in 4.4.248 with commit bb7b26278b384dad1423101dc69157b63968ed1c
	Issue introduced in 4.9.248 with commit a890a3d3115da196ff25599fe900f34016a4ef49
	Issue introduced in 4.14.212 with commit 502bbb8480c38ae6caa4f890b98db3b2a4ae919a
	Issue introduced in 4.19.134 with commit d4d0e6c07bcd17d704afe64e10382ffc5d342765
	Issue introduced in 5.7.10 with commit 754056791f66153890825c2626174aaa7fe82d16

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53433
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/tap.c
	include/linux/if_vlan.h
	net/bridge/br_forward.c
	net/core/dev.c
	net/packet/af_packet.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4188c5269475ac59d467b5814c5df02756f6d907
	https://git.kernel.org/stable/c/34a5ee69ec6273f0aee79e7ce4d14afc83ca8122
	https://git.kernel.org/stable/c/9dd9ffe118415b4ac1cebac43443000072bc8f46
	https://git.kernel.org/stable/c/55caf900e13cd04466def08173a14b41d18c19c3
	https://git.kernel.org/stable/c/15eaeb8941f12fcc2713c4bf6eb8f76a37854b4d
	https://git.kernel.org/stable/c/4063384ef762cc5946fc7a3f89879e76c6ec51e2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ