CVE-2023-52435: Linux Kernel Vulnerability Leads to MSS Overflow in skb_segment()

The Linux kernel vulnerability, CVE-2023-52435, was initially discovered by syzbot after the kernel crashed while testing the skb_segment() code [1]. The crash occurred due to the computation in skb_segment():

mss = mss * partial_segs;

Considering 65535 is the product of 3 * 5 * 17 * 257, several initial values of MSS (Maximum Segment Size) lead to a bad final result. The vulnerability arises when the new MSS value exceeds GSO_BY_FRAGS.

To resolve this vulnerability, developers have ensured that the new MSS value in segmentation is always smaller than GSO_BY_FRAGS. The vulnerability affects the Linux kernel and potentially allows overflow in the skb_segment() function, leading to a general protection fault.

Here's the crash report from syzbot

general protection fault, probably for non-canonical address xdffffc000000000e: 000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [x000000000000007-x0000000000000077]
CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.-rc4-syzkaller-00141-g1ae4cd3cbdd #
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 001:skb_segment+x181d/x3f30 net/core/skbuff.c:4551

truncated---

The vulnerability can lead to a potential crash, as reported in the syzbot crash log. You can find more information about the vulnerability and the relevant code snippets at the following reference links:

- syzbot report
- skb_segment() in Linux kernel source code

In conclusion, CVE-2023-52435 highlights a significant vulnerability within the Linux kernel that could lead to an overflow in skb_segment(). The development team has resolved the issue by ensuring that new MSS values in segmentation remain below GSO_BY_FRAGS. It is essential for users to stay informed about vulnerabilities like these and remain diligent in keeping their systems up-to-date.

Timeline

Published on: 02/20/2024 20:15:08 UTC
Last modified on: 03/15/2024 14:06:17 UTC