cve-2023-52778
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2024-11-04 14:52
Severity ?
Summary
mptcp: deal with large GSO size
Impacted products
Vendor Product Version
Linux Linux Version: 5.19
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52778",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T18:34:28.820303Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:22:35.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:35.925Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70ff9b65a728",
              "status": "affected",
              "version": "7c4e983c4f3c",
              "versionType": "git"
            },
            {
              "lessThan": "342b528c0e84",
              "status": "affected",
              "version": "7c4e983c4f3c",
              "versionType": "git"
            },
            {
              "lessThan": "57ced2eb7734",
              "status": "affected",
              "version": "7c4e983c4f3c",
              "versionType": "git"
            },
            {
              "lessThan": "9fce92f050f4",
              "status": "affected",
              "version": "7c4e983c4f3c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: deal with large GSO size\n\nAfter the blamed commit below, the TCP sockets (and the MPTCP subflows)\ncan build egress packets larger than 64K. That exceeds the maximum DSS\ndata size, the length being misrepresent on the wire and the stream being\ncorrupted, as later observed on the receiver:\n\n  WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0\n  CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n  netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4\u0027.\n  RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705\n  RSP: 0018:ffffc90000006e80 EFLAGS: 00010246\n  RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000\n  netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4\u0027.\n  RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908\n  RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a\n  R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908\n  R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29\n  FS:  00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\n  PKRU: 55555554\n  Call Trace:\n   \u003cIRQ\u003e\n   mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819\n   subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409\n   tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151\n   tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098\n   tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483\n   tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749\n   ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438\n   ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483\n   ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304\n   __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532\n   process_backlog+0x353/0x660 net/core/dev.c:5974\n   __napi_poll+0xc6/0x5a0 net/core/dev.c:6536\n   net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603\n   __do_softirq+0x184/0x524 kernel/softirq.c:553\n   do_softirq+0xdd/0x130 kernel/softirq.c:454\n\nAddress the issue explicitly bounding the maximum GSO size to what MPTCP\nactually allows."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T14:52:32.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696"
        },
        {
          "url": "https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94"
        },
        {
          "url": "https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52"
        }
      ],
      "title": "mptcp: deal with large GSO size",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52778",
    "datePublished": "2024-05-21T15:30:58.244Z",
    "dateReserved": "2024-05-21T15:19:24.240Z",
    "dateUpdated": "2024-11-04T14:52:32.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52778\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:16.817\",\"lastModified\":\"2024-11-21T08:40:34.167\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmptcp: deal with large GSO size\\n\\nAfter the blamed commit below, the TCP sockets (and the MPTCP subflows)\\ncan build egress packets larger than 64K. That exceeds the maximum DSS\\ndata size, the length being misrepresent on the wire and the stream being\\ncorrupted, as later observed on the receiver:\\n\\n  WARNING: CPU: 0 PID: 9696 at net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/0x26e0\\n  CPU: 0 PID: 9696 Comm: syz-executor.7 Not tainted 6.6.0-rc5-gcd8bdf563d46 #45\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n  netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4\u0027.\\n  RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705\\n  RSP: 0018:ffffc90000006e80 EFLAGS: 00010246\\n  RAX: ffffffff83e9f674 RBX: ffff88802f45d870 RCX: ffff888102ad0000\\n  netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4\u0027.\\n  RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908\\n  RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a\\n  R10: dffffc0000000000 R11: ffffed100e548c8b R12: 0000000000013908\\n  R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29\\n  FS:  00007f239c47e700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0\\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\\n  PKRU: 55555554\\n  Call Trace:\\n   \u003cIRQ\u003e\\n   mptcp_data_ready+0x263/0xac0 net/mptcp/protocol.c:819\\n   subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409\\n   tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151\\n   tcp_rcv_established+0x950/0x1d90 net/ipv4/tcp_input.c:6098\\n   tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483\\n   tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749\\n   ip6_protocol_deliver_rcu+0xd6b/0x1ae0 net/ipv6/ip6_input.c:438\\n   ip6_input+0x1c5/0x470 net/ipv6/ip6_input.c:483\\n   ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304\\n   __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532\\n   process_backlog+0x353/0x660 net/core/dev.c:5974\\n   __napi_poll+0xc6/0x5a0 net/core/dev.c:6536\\n   net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603\\n   __do_softirq+0x184/0x524 kernel/softirq.c:553\\n   do_softirq+0xdd/0x130 kernel/softirq.c:454\\n\\nAddress the issue explicitly bounding the maximum GSO size to what MPTCP\\nactually allows.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mptcp: trata con un tama\u00f1o GSO grande. Despu\u00e9s del compromiso culpable a continuaci\u00f3n, los sockets TCP (y los subflujos MPTCP) pueden generar paquetes de salida de m\u00e1s de 64 KB. Eso excede el tama\u00f1o m\u00e1ximo de datos DSS, la longitud se tergiversa en el cable y la transmisi\u00f3n se corrompe, como se observ\u00f3 m\u00e1s tarde en el receptor: ADVERTENCIA: CPU: 0 PID: 9696 en net/mptcp/protocol.c:705 __mptcp_move_skbs_from_subflow+0x2604/ 0x26e0 CPU: 0 PID: 9696 Comm: syz-executor.7 No contaminado 6.6.0-rc5-gcd8bdf563d46 #45 Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01 /2014 netlink: 8 bytes sobrantes despu\u00e9s de analizar los atributos en el proceso `syz-executor.4\u0027. RIP: 0010:__mptcp_move_skbs_from_subflow+0x2604/0x26e0 net/mptcp/protocol.c:705 RSP: 0018:ffffc90000006e80 EFLAGS: 00010246 RAX: ffffffff83e9f674 RBX: ffff88802f45 d870 RCX: ffff888102ad0000 netlink: 8 bytes sobrantes despu\u00e9s de analizar los atributos en el proceso `syz-executor. 4\u0027. RDX: 0000000080000303 RSI: 0000000000013908 RDI: 0000000000003908 RBP: ffffc90000007110 R08: ffffffff83e9e078 R09: 1ffff1100e548c8a R10: 0000000000 R11: fffffed100e548c8b R12: 0000000000013908 R13: dffffc0000000000 R14: 0000000000003908 R15: 000000000031cf29 FS: 00007f239c47 e700(0000) GS:ffff88811b200000(0000) knlGS: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f239c45cd78 CR3: 000000006a66c006 CR4: 0000000000770ef0 DR0: 0000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Llamar Seguimiento:  mptcp_data_ready +0x263/0xac0 net/mptcp/protocol.c:819 subflow_data_ready+0x268/0x6d0 net/mptcp/subflow.c:1409 tcp_data_queue+0x21a1/0x7a60 net/ipv4/tcp_input.c:5151 tcp_rcv_establecido+0x950/0x1d 90 netos/ipv4/ tcp_input.c:6098 tcp_v6_do_rcv+0x554/0x12f0 net/ipv6/tcp_ipv6.c:1483 tcp_v6_rcv+0x2e26/0x3810 net/ipv6/tcp_ipv6.c:1749 ip6_protocol_deliver_rcu+0xd6b/0x1 ae0 net/ipv6/ip6_input.c:438 ip6_input+0x1c5 /0x470 net/ipv6/ip6_input.c:483 ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:304 __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5532 Process_backlog+0x353/0x660 net/core/dev. c:5974 __napi_poll+0xc6/0x5a0 net/core/dev.c:6536 net_rx_action+0x6a0/0xfd0 net/core/dev.c:6603 __do_softirq+0x184/0x524 kernel/softirq.c:553 do_softirq+0xdd/0x130 kernel/ softirq.c:454 Aborde el problema limitando expl\u00edcitamente el tama\u00f1o m\u00e1ximo de GSO a lo que MPTCP realmente permite.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/342b528c0e849bed9def76dadaa470d3af678e94\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/57ced2eb77343a91d28f4a73675b05fe7b555def\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/70ff9b65a72885b3a2dfde6709da1f19b85fa696\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9fce92f050f448a0d1ddd9083ef967d9930f1e52\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.