| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122425-CVE-2023-54051-b704@gregkh> Date: Wed, 24 Dec 2025 13:26:44 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54051: net: do not allow gso_size to be set to GSO_BY_FRAGS From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net: do not allow gso_size to be set to GSO_BY_FRAGS One missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again [1] Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), because this magic value is used by the kernel. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:727 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:750 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 __sys_sendmsg+0x117/0x1e0 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff27cdb34d9 The Linux kernel CVE team has assigned CVE-2023-54051 to this issue. Affected and fixed versions =========================== Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 4.14.324 with commit a5f9e5804d239d288d983db36bbed45ed10729a0 Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 4.19.293 with commit 4c9bfadb4301daaceb6c575fa6ad3bc82c152e79 Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 5.4.255 with commit 210ff31342ade546d8d9d0ec4d3cf9cb50ae632d Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 5.10.192 with commit 0a593e8a9d24360fbc469c5897d0791aa2f20ed3 Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 5.15.128 with commit 578371ce0d7f67ea1e65817c04478aaab0d36b68 Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 6.1.47 with commit 2e03a92b241102aaf490439aa1b00239f84f530f Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 6.4.12 with commit e3636862f5595b3d2f02650f7b21d39043a34f3e Issue introduced in 4.8 with commit 3953c46c3ac7eef31a9935427371c6f54a22f1ba and fixed in 6.5 with commit b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54051 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/virtio_net.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a5f9e5804d239d288d983db36bbed45ed10729a0 https://git.kernel.org/stable/c/4c9bfadb4301daaceb6c575fa6ad3bc82c152e79 https://git.kernel.org/stable/c/210ff31342ade546d8d9d0ec4d3cf9cb50ae632d https://git.kernel.org/stable/c/0a593e8a9d24360fbc469c5897d0791aa2f20ed3 https://git.kernel.org/stable/c/578371ce0d7f67ea1e65817c04478aaab0d36b68 https://git.kernel.org/stable/c/2e03a92b241102aaf490439aa1b00239f84f530f https://git.kernel.org/stable/c/e3636862f5595b3d2f02650f7b21d39043a34f3e https://git.kernel.org/stable/c/b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9
Powered by blists - more mailing lists