CVE-2023-52580
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52580
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52580.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-52580
- Downstream
- Related
- Published
- 2024-03-02T21:59:47Z
- Modified
- 2025-10-15T03:57:42.475995Z
- Summary
- net/core: Fix ETH_P_1588 flow dissector
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/core: Fix ETHP1588 flow dissector
When a PTP ethernet raw frame with a size of more than 256 bytes followed by a 0xff pattern is sent to _skbflowdissect, nhoff value calculation is wrong. For example: hdr->messagelength takes the wrong value (0xffff) and it does not replicate real header length. In this case, 'nhoff' value was overridden and the PTP header was badly dissected. This leads to a kernel crash.
net/core: flowdissector net/core flow dissector nhoff = 0x0000000e net/core flow dissector hdr->messagelength = 0x0000ffff net/core flow dissector nhoff = 0x0001000d (u16 overflow) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Using the size of the ptp_header struct will allow the corrected calculation of the nhoff value.
net/core flow dissector nhoff = 0x0000000e net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) ... skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Kernel trace: [ 74.984279] ------------[ cut here ]------------ [ 74.989471] kernel BUG at include/linux/skbuff.h:2440! [ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 [ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SBADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 [ 75.026507] RIP: 0010:ethtypetrans+0xd0/0x130 [ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 [ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 [ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 [ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 [ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 [ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 [ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 [ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 [ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 [ 75.121980] PKRU: 55555554 [ 75.125035] Call Trace: [ 75.127792] <IRQ> [ 75.130063] ? ethgetheadlen+0xa4/0xc0 [ 75.134472] igcprocessskbfields+0xcd/0x150 [ 75.139461] igcpoll+0xc80/0x17b0 [ 75.143272] _napipoll+0x27/0x170 [ 75.147192] netrxaction+0x234/0x280 [ 75.151409] _dosoftirq+0xef/0x2f4 [ 75.155424] irqexitrcu+0xc7/0x110 [ 75.159432] commoninterrupt+0xb8/0xd0 [ 75.163748] </IRQ> [ 75.166112] <TASK> [ 75.168473] asmcommoninterrupt+0x22/0x40 [ 75.173175] RIP: 0010:cpuidleenterstate+0xe2/0x350 [ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 [ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 [ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f [ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 [ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 [ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 [ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 [ 75.245635] ? ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/488ea2a3e2666022f79abfdd7d12e8305fc27a40
- https://git.kernel.org/stable/c/48e105a2a1a10adc21c0ae717969f5e8e990ba48
- https://git.kernel.org/stable/c/75ad80ed88a182ab2ad5513e448cf07b403af5c3
- https://git.kernel.org/stable/c/f90a7b9586d72f907092078a9f394733ca502cc9
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6Fixedf90a7b9586d72f907092078a9f394733ca502cc9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6Fixed488ea2a3e2666022f79abfdd7d12e8305fc27a40
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6Fixed48e105a2a1a10adc21c0ae717969f5e8e990ba48
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f1cc51f34886d645cd3e8fc2915cc9b7a55c3b6Fixed75ad80ed88a182ab2ad5513e448cf07b403af5c3
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "net/core/flow_dissector.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"73891973141337930405071321328909568342",
"259490065146051412564012526690408625987",
"339801609352079030370874874043810245785",
"201733757854253448098986119026048434532"
],
"threshold": 0.9
},
"id": "CVE-2023-52580-48004779",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@488ea2a3e2666022f79abfdd7d12e8305fc27a40"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "net/core/flow_dissector.c",
"function": "__skb_flow_dissect"
},
"deprecated": false,
"digest": {
"length": 12008.0,
"function_hash": "188541397255750609143256462794778412681"
},
"id": "CVE-2023-52580-52fa44c2",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@488ea2a3e2666022f79abfdd7d12e8305fc27a40"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "net/core/flow_dissector.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"73891973141337930405071321328909568342",
"259490065146051412564012526690408625987",
"339801609352079030370874874043810245785",
"201733757854253448098986119026048434532"
],
"threshold": 0.9
},
"id": "CVE-2023-52580-560d4176",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f90a7b9586d72f907092078a9f394733ca502cc9"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "net/core/flow_dissector.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"73891973141337930405071321328909568342",
"259490065146051412564012526690408625987",
"339801609352079030370874874043810245785",
"201733757854253448098986119026048434532"
],
"threshold": 0.9
},
"id": "CVE-2023-52580-5cff894a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75ad80ed88a182ab2ad5513e448cf07b403af5c3"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "net/core/flow_dissector.c",
"function": "__skb_flow_dissect"
},
"deprecated": false,
"digest": {
"length": 12199.0,
"function_hash": "261963045611380819915191837344233048361"
},
"id": "CVE-2023-52580-6b14fed0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@48e105a2a1a10adc21c0ae717969f5e8e990ba48"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "net/core/flow_dissector.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"73891973141337930405071321328909568342",
"259490065146051412564012526690408625987",
"339801609352079030370874874043810245785",
"201733757854253448098986119026048434532"
],
"threshold": 0.9
},
"id": "CVE-2023-52580-a8f5d63f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@48e105a2a1a10adc21c0ae717969f5e8e990ba48"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "net/core/flow_dissector.c",
"function": "__skb_flow_dissect"
},
"deprecated": false,
"digest": {
"length": 10153.0,
"function_hash": "181848904257733493691958571262404530270"
},
"id": "CVE-2023-52580-f780774b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f90a7b9586d72f907092078a9f394733ca502cc9"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "net/core/flow_dissector.c",
"function": "__skb_flow_dissect"
},
"deprecated": false,
"digest": {
"length": 12374.0,
"function_hash": "78457911483375522898475091943661228607"
},
"id": "CVE-2023-52580-f96fe321",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75ad80ed88a182ab2ad5513e448cf07b403af5c3"
}
]
}