Home

Description

In the Linux kernel, the following vulnerability has been resolved: net: add vlan_get_protocol_and_depth() helper Before blamed commit, pskb_may_pull() was used instead of skb_header_pointer() in __vlan_get_protocol() and friends. Few callers depended on skb->head being populated with MAC header, syzbot caught one of them (skb_mac_gso_segment()) Add vlan_get_protocol_and_depth() to make the intent clearer and use it where sensible. This is a more generic fix than commit e9d3f80935b6 ("net/af_packet: make sure to pull mac header") which was dealing with a similar issue. kernel BUG at include/linux/skbuff.h:2655 ! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline] RIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136 Code: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 RSP: 0018:ffffc90001bd7520 EFLAGS: 00010286 RAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012 R13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7 FS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> [<ffffffff847018dd>] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419 [<ffffffff8470398a>] skb_gso_segment include/linux/netdevice.h:4819 [inline] [<ffffffff8470398a>] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725 [<ffffffff84707042>] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313 [<ffffffff851a9ec7>] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029 [<ffffffff851b4a82>] packet_snd net/packet/af_packet.c:3111 [inline] [<ffffffff851b4a82>] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142 [<ffffffff84669a12>] sock_sendmsg_nosec net/socket.c:716 [inline] [<ffffffff84669a12>] sock_sendmsg net/socket.c:736 [inline] [<ffffffff84669a12>] __sys_sendto+0x472/0x5f0 net/socket.c:2139 [<ffffffff84669c75>] __do_sys_sendto net/socket.c:2151 [inline] [<ffffffff84669c75>] __se_sys_sendto net/socket.c:2147 [inline] [<ffffffff84669c75>] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147 [<ffffffff8551d40f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff8551d40f>] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80 [<ffffffff85600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

PUBLISHED Reserved 2025-09-17 | Published 2025-09-18 | Updated 2025-09-18 | Assigner Linux

Product status

Default status
unaffected

30d015f5ecd9ce5706ad18a4a0649f364e3e6f7b (git) before 4188c5269475ac59d467b5814c5df02756f6d907
affected

469aceddfa3ed16e17ee30533fae45e90f62efd8 (git) before 34a5ee69ec6273f0aee79e7ce4d14afc83ca8122
affected

469aceddfa3ed16e17ee30533fae45e90f62efd8 (git) before 9dd9ffe118415b4ac1cebac43443000072bc8f46
affected

469aceddfa3ed16e17ee30533fae45e90f62efd8 (git) before 55caf900e13cd04466def08173a14b41d18c19c3
affected

469aceddfa3ed16e17ee30533fae45e90f62efd8 (git) before 15eaeb8941f12fcc2713c4bf6eb8f76a37854b4d
affected

469aceddfa3ed16e17ee30533fae45e90f62efd8 (git) before 4063384ef762cc5946fc7a3f89879e76c6ec51e2
affected

bb7b26278b384dad1423101dc69157b63968ed1c (git)
affected

a890a3d3115da196ff25599fe900f34016a4ef49 (git)
affected

502bbb8480c38ae6caa4f890b98db3b2a4ae919a (git)
affected

d4d0e6c07bcd17d704afe64e10382ffc5d342765 (git)
affected

754056791f66153890825c2626174aaa7fe82d16 (git)
affected

Default status
affected

5.8
affected

Any version before 5.8
unaffected

5.4.244 (semver)
unaffected

5.10.181 (semver)
unaffected

5.15.113 (semver)
unaffected

6.1.30 (semver)
unaffected

6.3.4 (semver)
unaffected

6.4 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/4188c5269475ac59d467b5814c5df02756f6d907

git.kernel.org/...c/34a5ee69ec6273f0aee79e7ce4d14afc83ca8122

git.kernel.org/...c/9dd9ffe118415b4ac1cebac43443000072bc8f46

git.kernel.org/...c/55caf900e13cd04466def08173a14b41d18c19c3

git.kernel.org/...c/15eaeb8941f12fcc2713c4bf6eb8f76a37854b4d

git.kernel.org/...c/4063384ef762cc5946fc7a3f89879e76c6ec51e2

cve.org (CVE-2023-53433)

nvd.nist.gov (CVE-2023-53433)

Download JSON