CVE-2023-52991

{"id": "CVE-2023-52991", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-03-27T17:15:46.540", "references": [{"url": "https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] <TASK>\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: correcci\u00f3n de puntero nulo en skb_segment_list. El commit 3a1296a38d0c (\"net: Compatibilidad con encadenamiento de fraglist GRO/GSO\") introdujo GRO con lista UDP. La segmentaci\u00f3n depende de que frag_list permanezca intacto al pasar por la pila de red. Esta suposici\u00f3n puede fallar a veces, ya que frag_list se arrastra al \u00e1rea lineal, dejando frag_list como nulo. Cuando esto sucede, puede desencadenar la consiguiente desreferencia de puntero nulo y generar un p\u00e1nico en el kernel. Revertir la condici\u00f3n de prueba deber\u00eda solucionarlo. [19185.577801][ C1] ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: ... [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 ... [19185.834644][ C1] Rastreo de llamadas: [19185.841730][ C1] [19185.848563][ C1] __udp_gso_segment+0x33e/0x510 [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 [19185.874939][ C1] __skb_gso_segment+0xb2/0x160 [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 [19185.927834][ C1] registro_de_proceso+0x88/0x130 [19185.935840][ C1] __napi_poll+0x27/0x150 [19185.943447][ C1] acci\u00f3n_de_rx_net+0x27e/0x5f0 [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] [19185.960848][ C1] __do_softirq+0xbc/0x25d [19185.968607][ C1] irq_exit_rcu+0x83/0xb0 [19185.976247][ C1] common_interrupt+0x43/0xa0 [19185.984235][ C1] asm_common_interrupt+0x22/0x40 ... [19186.094106][ C1] "}], "lastModified": "2025-04-15T14:32:09.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "101645FF-CEF8-4860-A44D-A0DA5F0D4E5C", "versionEndExcluding": "5.10.167", "versionStartIncluding": "5.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82E7FA6E-E503-40DE-995C-EB8E2C9CDAE3", "versionEndExcluding": "5.15.92", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "482D2612-A4D4-4A68-AC23-52F6BE89878B", "versionEndExcluding": "6.1.10", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}