CVE-2023-53601

In the Linux kernel, the following vulnerability has been resolved:

bonding: do not assume skb mac_header is set

Drivers must not assume in their ndostartxmit() that skbs have their mac_header set. skb->data is all what is needed.

bonding seems to be one of the last offender as caught by syzbot:

WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skbmacoffset include/linux/skbuff.h:2913 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bondxmithash drivers/net/bonding/bondmain.c:4170 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bondxmit3adxorslaveget drivers/net/bonding/bondmain.c:5149 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond3adxorxmit drivers/net/bonding/bondmain.c:5186 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bondstartxmit drivers/net/bonding/bondmain.c:5442 [inline] WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bondstartxmit+0x14ab/0x19d0 drivers/net/bonding/bondmain.c:5470 Modules linked in: CPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 RIP: 0010:skbmacheader include/linux/skbuff.h:2907 [inline] RIP: 0010:skbmacoffset include/linux/skbuff.h:2913 [inline] RIP: 0010:bondxmithash drivers/net/bonding/bondmain.c:4170 [inline] RIP: 0010:bondxmit3adxorslaveget drivers/net/bonding/bondmain.c:5149 [inline] RIP: 0010:bond3adxorxmit drivers/net/bonding/bondmain.c:5186 [inline] RIP: 0010:bondstartxmit drivers/net/bonding/bondmain.c:5442 [inline] RIP: 0010:bondstartxmit+0x14ab/0x19d0 drivers/net/bonding/bondmain.c:5470 Code: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe <0f> 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e fe RSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283 RAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000 RDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6 RBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584 R10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7e R13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76 FS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> [<ffffffff8471a49f>] netdevstartxmit include/linux/netdevice.h:4925 [inline] [<ffffffff8471a49f>] _devdirectxmit+0x4ef/0x850 net/core/dev.c:4380 [<ffffffff851d845b>] devdirectxmit include/linux/netdevice.h:3043 [inline] [<ffffffff851d845b>] packetdirectxmit+0x18b/0x300 net/packet/afpacket.c:284 [<ffffffff851c7472>] packetsnd net/packet/afpacket.c:3112 [inline] [<ffffffff851c7472>] packetsendmsg+0x4a22/0x64d0 net/packet/afpacket.c:3143 [<ffffffff8467a4b2>] socksendmsgnosec net/socket.c:716 [inline] [<ffffffff8467a4b2>] socksendmsg net/socket.c:736 [inline] [<ffffffff8467a4b2>] _syssendto+0x472/0x5f0 net/socket.c:2139 [<ffffffff8467a715>] _dosyssendto net/socket.c:2151 [inline] [<ffffffff8467a715>] _sesyssendto net/socket.c:2147 [inline] [<ffffffff8467a715>] _x64syssendto+0xe5/0x100 net/socket.c:2147 [<ffffffff8553071f>] dosyscallx64 arch/x86/entry/common.c:50 [inline] [<ffffffff8553071f>] dosyscall64+0x2f/0x50 arch/x86/entry/common.c:80 [<ffffffff85600087>] entrySYSCALL64afterhwframe+0x63/0xcd