Home

Description

In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before 2f88c8d38ecf5ed0273f99a067246899ba499eb2
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before d2309e0cb27b6871b273fbc1725e93be62570d86
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before 435855b0831b351cb72cb38369ee33122ce9574c
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before 02b20e0bc0c2628539e9e518dc342787c3332de2
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before cdd8160dcda1fed2028a5f96575a84afc23aff7d
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before 6fbedf987b6b8ed54a50e2205d998eb2c8be72f9
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before cb38e62922aa3991793344b5a5870e7291c74a44
affected

c411ed854584a71b0e86ac3019b60e4789d88086 (git) before c83b49383b595be50647f0c764a48c78b5f3c4f8
affected

Default status
affected

4.14
affected

Any version before 4.14
unaffected

4.14.316 (semver)
unaffected

4.19.284 (semver)
unaffected

5.4.244 (semver)
unaffected

5.10.181 (semver)
unaffected

5.15.113 (semver)
unaffected

6.1.30 (semver)
unaffected

6.3.4 (semver)
unaffected

6.4 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/2f88c8d38ecf5ed0273f99a067246899ba499eb2

git.kernel.org/...c/d2309e0cb27b6871b273fbc1725e93be62570d86

git.kernel.org/...c/435855b0831b351cb72cb38369ee33122ce9574c

git.kernel.org/...c/02b20e0bc0c2628539e9e518dc342787c3332de2

git.kernel.org/...c/cdd8160dcda1fed2028a5f96575a84afc23aff7d

git.kernel.org/...c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9

git.kernel.org/...c/cb38e62922aa3991793344b5a5870e7291c74a44

git.kernel.org/...c/c83b49383b595be50647f0c764a48c78b5f3c4f8

cve.org (CVE-2023-54114)

nvd.nist.gov (CVE-2023-54114)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.