CVE-2023-52523
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52523
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52523.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-52523
- Downstream
- Related
- Published
- 2024-03-02T21:52:30Z
- Modified
- 2025-10-21T14:18:51.445133Z
- Summary
- bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages sent from one TCP socket (s1) to actually egress from another TCP socket (s2):
tcpbpfsendmsg(s1) // = skprot->sendmsg tcpbpfsendverdict(s1) // _SKREDIRECT case tcpbpfsendmsgredir(s2) tcpbpfpushlocked(s2) tcpbpfpush(s2) tcpratecheckapplimited(s2) // expects tcpsock tcpsendmsg_locked(s2) // ditto
There is a hard-coded assumption in the call-chain, that the egress socket (s2) is a TCP socket.
However in commit 122e6c79efe1 ("sockmap: Update sock type checks for UDP") we have enabled redirects to non-TCP sockets. This was done for the sake of BPF skskb programs. There was no indention to support sk_msg send-to-egress use case.
As a result, attempts to send-to-egress through a non-TCP socket lead to a crash due to invalid downcast from sock to tcp_sock:
BUG: kernel NULL pointer dereference, address: 000000000000002f ... Call Trace: <TASK> ? showregs+0x60/0x70 ? _die+0x1f/0x70 ? pagefaultoops+0x80/0x160 ? douseraddrfault+0x2d7/0x800 ? rcuiswatching+0x11/0x50 ? excpagefault+0x70/0x1c0 ? asmexcpagefault+0x27/0x30 ? tcptsosegs+0x14/0xa0 tcpwritexmit+0x67/0xce0 _tcppushpendingframes+0x32/0xf0 tcppush+0x107/0x140 tcpsendmsglocked+0x99f/0xbb0 tcpbpfpush+0x19d/0x3a0 tcpbpfsendmsgredir+0x55/0xd0 tcpbpfsendverdict+0x407/0x550 tcpbpfsendmsg+0x1a1/0x390 inetsendmsg+0x6a/0x70 socksendmsg+0x9d/0xc0 ? sockfdlookuplight+0x12/0x80 _syssendto+0x10e/0x160 ? syscallenterfromusermode+0x20/0x60 ? _thiscpupreemptcheck+0x13/0x20 ? lockdephardirqson+0x82/0x110 _x64syssendto+0x1f/0x30 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg program to prevent the crash. When attempted, user will receive an EACCES error from send/sendto/sendmsg() syscall.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/b80e31baa43614e086a9d29dc1151932b1bd7fc5
- https://git.kernel.org/stable/c/b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
- https://git.kernel.org/stable/c/bc8b89b6963803a123f64aa9494155a037b3d728
- https://git.kernel.org/stable/c/ded6e448028f0f91b6af35985afca01fa02a9089
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced122e6c79efe1c25816118aca9cfabe54e99c2432Fixedbc8b89b6963803a123f64aa9494155a037b3d728
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced122e6c79efe1c25816118aca9cfabe54e99c2432Fixedb8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced122e6c79efe1c25816118aca9cfabe54e99c2432Fixedded6e448028f0f91b6af35985afca01fa02a9089
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced122e6c79efe1c25816118aca9cfabe54e99c2432Fixedb80e31baa43614e086a9d29dc1151932b1bd7fc5
Affected versions
v5.*
v5.12
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.100
v5.15.101
v5.15.102
v5.15.103
v5.15.104
v5.15.105
v5.15.106
v5.15.107
v5.15.108
v5.15.109
v5.15.11
v5.15.110
v5.15.111
v5.15.112
v5.15.113
v5.15.114
v5.15.115
v5.15.116
v5.15.117
v5.15.118
v5.15.119
v5.15.12
v5.15.120
v5.15.121
v5.15.122
v5.15.123
v5.15.124
v5.15.125
v5.15.126
v5.15.127
v5.15.128
v5.15.129
v5.15.13
v5.15.130
v5.15.131
v5.15.132
v5.15.133
v5.15.134
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.89
v5.15.9
v5.15.90
v5.15.91
v5.15.92
v5.15.93
v5.15.94
v5.15.95
v5.15.96
v5.15.97
v5.15.98
v5.15.99
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.5.6
v6.6-rc1
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bc8b89b6963803a123f64aa9494155a037b3d728",
"deprecated": false,
"id": "CVE-2023-52523-1675137b",
"signature_type": "Function",
"digest": {
"function_hash": "90634067096697182849506338032226349472",
"length": 339.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ded6e448028f0f91b6af35985afca01fa02a9089",
"deprecated": false,
"id": "CVE-2023-52523-297ba174",
"signature_type": "Function",
"digest": {
"function_hash": "173701315733894915613968771849045028421",
"length": 337.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bc8b89b6963803a123f64aa9494155a037b3d728",
"deprecated": false,
"id": "CVE-2023-52523-35896dbf",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"179831103928836369414019196218508110783",
"105898858721848221147221265233485040368",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745",
"142623076107768541837703396818247592395",
"81033545361818267882658726917988075153",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745"
]
},
"target": {
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b80e31baa43614e086a9d29dc1151932b1bd7fc5",
"deprecated": false,
"id": "CVE-2023-52523-3e08dba4",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"179831103928836369414019196218508110783",
"105898858721848221147221265233485040368",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745",
"142623076107768541837703396818247592395",
"81033545361818267882658726917988075153",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745"
]
},
"target": {
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b80e31baa43614e086a9d29dc1151932b1bd7fc5",
"deprecated": false,
"id": "CVE-2023-52523-4fcd8439",
"signature_type": "Function",
"digest": {
"function_hash": "173701315733894915613968771849045028421",
"length": 337.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bc8b89b6963803a123f64aa9494155a037b3d728",
"deprecated": false,
"id": "CVE-2023-52523-808a7ae7",
"signature_type": "Function",
"digest": {
"function_hash": "173701315733894915613968771849045028421",
"length": 337.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b80e31baa43614e086a9d29dc1151932b1bd7fc5",
"deprecated": false,
"id": "CVE-2023-52523-ac676776",
"signature_type": "Function",
"digest": {
"function_hash": "90634067096697182849506338032226349472",
"length": 339.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2",
"deprecated": false,
"id": "CVE-2023-52523-b1b064e1",
"signature_type": "Function",
"digest": {
"function_hash": "90634067096697182849506338032226349472",
"length": 339.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2",
"deprecated": false,
"id": "CVE-2023-52523-c8926ca8",
"signature_type": "Function",
"digest": {
"function_hash": "173701315733894915613968771849045028421",
"length": 337.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b8f97e47b6fb84fcf2f5a22e725eefb6cf5070c2",
"deprecated": false,
"id": "CVE-2023-52523-ec3a0647",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"179831103928836369414019196218508110783",
"105898858721848221147221265233485040368",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745",
"142623076107768541837703396818247592395",
"81033545361818267882658726917988075153",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745"
]
},
"target": {
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ded6e448028f0f91b6af35985afca01fa02a9089",
"deprecated": false,
"id": "CVE-2023-52523-fbfd616e",
"signature_type": "Function",
"digest": {
"function_hash": "90634067096697182849506338032226349472",
"length": 339.0
},
"target": {
"function": "BPF_CALL_4",
"file": "net/core/sock_map.c"
}
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ded6e448028f0f91b6af35985afca01fa02a9089",
"deprecated": false,
"id": "CVE-2023-52523-ffd2b170",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"179831103928836369414019196218508110783",
"105898858721848221147221265233485040368",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745",
"142623076107768541837703396818247592395",
"81033545361818267882658726917988075153",
"96882551138541785968723497829589236874",
"240524541227834958880418648997822106745"
]
},
"target": {
"file": "net/core/sock_map.c"
}
}
]