ghsa-9wr9-q3c6-m872
Vulnerability from github
Published
2025-10-22 15:31
Modified
2025-10-22 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: csum: Fix OoB access in IP checksum code for negative lengths

Although commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-length calls") added an early return for zero-length input, syzkaller has popped up with an example of a negative length which causes an undefined shift and an out-of-bounds read:

| BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 | | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 | Call trace: | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 | __dump_stack lib/dump_stack.c:88 [inline] | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 | print_address_description mm/kasan/report.c:351 [inline] | print_report+0x174/0x514 mm/kasan/report.c:462 | kasan_report+0xd4/0x130 mm/kasan/report.c:572 | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31 | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | csum_partial+0x30/0x58 lib/checksum.c:128 | gso_make_checksum include/linux/skbuff.h:4928 [inline] | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332 | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47 | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119 | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141 | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401 | skb_gso_segment include/linux/netdevice.h:4859 [inline] | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659 | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709 | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327 | __dev_xmit_skb net/core/dev.c:3805 [inline] | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210 | dev_queue_xmit include/linux/netdevice.h:3085 [inline] | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276 | packet_snd net/packet/af_packet.c:3081 [inline] | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113 | sock_sendmsg_nosec net/socket.c:724 [inline] | sock_sendmsg net/socket.c:747 [inline] | __sys_sendto+0x3b4/0x538 net/socket.c:2144

Extend the early return to reject negative lengths as well, aligning our implementation with the generic code in lib/checksum.c

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53726"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T14:15:47Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: csum: Fix OoB access in IP checksum code for negative lengths\n\nAlthough commit c2c24edb1d9c (\"arm64: csum: Fix pathological zero-length\ncalls\") added an early return for zero-length input, syzkaller has\npopped up with an example of a _negative_ length which causes an\nundefined shift and an out-of-bounds read:\n\n | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975\n |\n | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023\n | Call trace:\n |  dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233\n |  show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240\n |  __dump_stack lib/dump_stack.c:88 [inline]\n |  dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106\n |  print_address_description mm/kasan/report.c:351 [inline]\n |  print_report+0x174/0x514 mm/kasan/report.c:462\n |  kasan_report+0xd4/0x130 mm/kasan/report.c:572\n |  kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187\n |  __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31\n |  do_csum+0x44/0x254 arch/arm64/lib/csum.c:39\n |  csum_partial+0x30/0x58 lib/checksum.c:128\n |  gso_make_checksum include/linux/skbuff.h:4928 [inline]\n |  __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332\n |  udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47\n |  ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119\n |  skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141\n |  __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401\n |  skb_gso_segment include/linux/netdevice.h:4859 [inline]\n |  validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659\n |  validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709\n |  sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327\n |  __dev_xmit_skb net/core/dev.c:3805 [inline]\n |  __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210\n |  dev_queue_xmit include/linux/netdevice.h:3085 [inline]\n |  packet_xmit+0x6c/0x318 net/packet/af_packet.c:276\n |  packet_snd net/packet/af_packet.c:3081 [inline]\n |  packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113\n |  sock_sendmsg_nosec net/socket.c:724 [inline]\n |  sock_sendmsg net/socket.c:747 [inline]\n |  __sys_sendto+0x3b4/0x538 net/socket.c:2144\n\nExtend the early return to reject negative lengths as well, aligning our\nimplementation with the generic code in lib/checksum.c",
  "id": "GHSA-9wr9-q3c6-m872",
  "modified": "2025-10-22T15:31:11Z",
  "published": "2025-10-22T15:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53726"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a85727239a23de1cc8d93985f1056308128f3e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8bd795fedb8450ecbef18eeadbd23ed8fc7630f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a43563cfd6b9200ff2f76b3f9fcdcb217ceb523"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5ad2f87d8e74e351d3f500ad9d5b3a5653e1c6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba0b46166b8e547024d02345a68b747841931ad2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fcdf904e866de0e3715835e50409fda3b2590527"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.