CVE-2023-52610

In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: fix skb leak and crash on ooo frags act_ct adds
skb->users before defragmentation. If frags arrive in order, the last
frag’s reference is reset in: inet_frag_reasm_prepare skb_morph which is
not straightforward. However when frags arrive out of order, nobody unref
the last frag, and all frags are leaked. The situation is even worse, as
initiating packet capture can lead to a crash[0] when skb has been cloned
and shared at the same time. Fix the issue by removing skb_get() before
defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in
progress. [0]: [ 843.804823] ------------[ cut here ]------------ [
843.809659] kernel BUG at net/core/skbuff.c:2091! [ 843.814516] invalid
opcode: 0000 [#1] PREEMPT SMP [ 843.819296] CPU: 7 PID: 0 Comm: swapper/7
Kdump: loaded Tainted: G S 6.7.0-rc3 #2 [ 843.824107] Hardware name:
XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 [ 843.828953] RIP:
0010:pskb_expand_head+0x2ac/0x300 [ 843.833805] Code: 8b 70 28 48 85 f6 74
82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8
00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c
24 14 40 01 00 00 4c 89 [ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS:
00010202 [ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX:
0000000000000820 [ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000
RDI: ffff88811a211d00 [ 843.857974] RBP: ffff888127d39518 R08:
00000000bee97314 R09: 0000000000000000 [ 843.862584] R10: 0000000000000000
R11: ffff8881109f0000 R12: 0000000000000880 [ 843.867147] R13:
ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 [ 843.871680]
FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000
[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [
843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4:
0000000000770ef0 [ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000 [ 843.889809] DR3: 0000000000000000 DR6:
00000000fffe0ff0 DR7: 0000000000000400 [ 843.894229] PKRU: 55555554 [
843.898539] Call Trace: [ 843.902772] <IRQ> [ 843.906922] ?
__die_body+0x1e/0x60 [ 843.911032] ? die+0x3c/0x60 [ 843.915037] ?
do_trap+0xe2/0x110 [ 843.918911] ? pskb_expand_head+0x2ac/0x300 [
843.922687] ? do_error_trap+0x65/0x80 [ 843.926342] ?
pskb_expand_head+0x2ac/0x300 [ 843.929905] ? exc_invalid_op+0x50/0x60 [
843.933398] ? pskb_expand_head+0x2ac/0x300 [ 843.936835] ?
asm_exc_invalid_op+0x1a/0x20 [ 843.940226] ? pskb_expand_head+0x2ac/0x300 [
843.943580] inet_frag_reasm_prepare+0xd1/0x240 [ 843.946904]
ip_defrag+0x5d4/0x870 [ 843.950132] nf_ct_handle_fragments+0xec/0x130
[nf_conntrack] [ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] [ 843.956473]
? tcf_mirred_act+0x516/0x5a0 [act_mirred] [ 843.959657]
tcf_action_exec+0xa1/0x160 [ 843.962823] fl_classify+0x1db/0x1f0
[cls_flower] [ 843.966010] ? skb_clone+0x53/0xc0 [ 843.969173]
tcf_classify+0x24d/0x420 [ 843.972333] tc_run+0x8f/0xf0 [ 843.975465]
__netif_receive_skb_core+0x67a/0x1080 [ 843.978634] ?
dev_gro_receive+0x249/0x730 [ 843.981759]
__netif_receive_skb_list_core+0x12d/0x260 [ 843.984869]
netif_receive_skb_list_internal+0x1cb/0x2f0 [ 843.987957] ?
mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] [ 843.991170]
napi_complete_done+0x72/0x1a0 [ 843.994305] mlx5e_napi_poll+0x28c/0x6d0
[mlx5_core] [ 843.997501] __napi_poll+0x25/0x1b0 [ 844.000627]
net_rx_action+0x256/0x330 [ 844.003705] __do_softirq+0xb3/0x29b [
844.006718] irq_exit_rcu+0x9e/0xc0 [ 844.009672] common_interrupt+0x86/0xa0
[ 844.012537] </IRQ> [ 844.015285] <TASK> [ 844.017937]
asm_common_interrupt+0x26/0x40 [ 844.020591] RIP:
0010:acpi_safe_halt+0x1b/0x20 [ 844.023247] Code: ff 66 2e 0f 1f 84 00 00
00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90
0f 00 2d 81 d0 44 00 fb —truncated—

Notes