CVE-2023-52796

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-52796
In the Linux kernel, the following vulnerability has been resolved: ipvlan: add ipvlan_route_v6_outbound() helper Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<f ---truncated---

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 Patch
https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 Patch
https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f Patch
https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 Patch
https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 Patch
https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a Patch
https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 Patch
https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 Patch
https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 Patch
https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 Patch
https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f Patch
https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 Patch
https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 Patch
https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a Patch
https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 Patch
https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.7:rc1:*:*:*:*:*:*
History

23 Sep 2025, 20:12

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 - () https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 - Patch
References () https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 - () https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 - Patch
References () https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f - () https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f - Patch
References () https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 - () https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 - Patch
References () https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 - () https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 - Patch
References () https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a - () https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a - Patch
References () https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 - () https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 - Patch
References () https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 - () https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 - Patch
First Time Linux
Linux linux Kernel
CPE cpe:2.3:o:linux:linux_kernel:6.7:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE CWE-787
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8

21 Nov 2024, 08:40

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipvlan: agregue el asistente ipvlan_route_v6_outbound(). Inspirado en los informes de syzbot que utilizan una pila de múltiples dispositivos ipvlan. Reduzca el tamaño de pila necesario en ipvlan_process_v6_outbound() moviendo la estructura flowi6 utilizada para la búsqueda de rutas en un asistente no integrado. ipvlan_route_v6_outbound() necesita 120 bytes en la pila, que se recuperan inmediatamente. También asegúrese de que ipvlan_process_v4_outbound() no esté incluido. Es posible que también tengamos que reducir MAX_NEST_DEV, porque solo syzbot usa configuraciones con más de cuatro dispositivos apilados. ERROR: La página de protección de la pila de TAREA fue alcanzada en ffffc9000e803ff8 (la pila es ffffc9000e804000..ffffc9000e808000) página de protección de la pila: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 No contaminado 6.1.52-syzkaller # 0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/10/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Código: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 &lt;41&gt; 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0 f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000000 RCX: ffffffff817e5bf2 RDX: 000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 00000000000000000 R09: 0000000000000000 R10: 000000000000000 00 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:00000000000000 00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: &lt;#DF&gt; [] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [] instrument_atomic_read include/linux/instrumented.h:72 [en línea] [] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [en línea] [] cpumask_test_cpu include/linux /cpumask.h:506 [en línea] [] cpu_online include/linux/cpumask.h:1092 [en línea] [] trace_lock_acquire include/trace/events/lock.h:24 [en línea] [] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [] rcu_read_lock include/linux/rcupdate.h:747 [en línea] [] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [ ] pol_lookup_func incluir/net /ip6_fib.h:584 [en línea] [] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route .c:2638 [] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [] ip6_route_output include/net/ip6_route.h:100 [en línea] [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan _core.c: 473 [en línea] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [en línea] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [en línea] [ ] ipvlan_queue_xmit +0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h: 4966 [en línea] [] xmit_one net/core/dev.c:3644 [en línea] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+ 0x16b2/ 0x3370 net/core/dev.c:4324 --truncado--
References () https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 - () https://git.kernel.org/stable/c/03cddc4df8c6be47fd27c8f8b87e5f9a989e1458 -
References () https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 - () https://git.kernel.org/stable/c/18f039428c7df183b09c69ebf10ffd4e521035d2 -
References () https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f - () https://git.kernel.org/stable/c/1f64cad3ac38ac5978b53c40e6c5e6fd3477c68f -
References () https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 - () https://git.kernel.org/stable/c/43b781e7cb5cd0b435de276111953bf2bacd1f02 -
References () https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 - () https://git.kernel.org/stable/c/4d2d30f0792b47908af64c4d02ed1ee25ff50542 -
References () https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a - () https://git.kernel.org/stable/c/4f7f850611aa27aaaf1bf5687702ad2240ae442a -
References () https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 - () https://git.kernel.org/stable/c/732a67ca436887b594ebc43bb5a04ffb0971a760 -
References () https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 - () https://git.kernel.org/stable/c/8872dc638c24bb774cd2224a69d72a7f661a4d56 -

21 May 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-21 16:15

Updated : 2025-09-23 20:12

NVD link : CVE-2023-52796

Mitre link : CVE-2023-52796

CVE.ORG link : CVE-2023-52796

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-787

Out-of-bounds Write