-

CVE-2023-54114

EPSS 0.05%
Veröffentlicht 24.12.2025 13:06:36
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()

In the Linux kernel, the following vulnerability has been resolved:

net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()

As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():

invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
 skb_push+0x91/0xa0
 nsh_gso_segment+0x4f3/0x570
 skb_mac_gso_segment+0x19e/0x270
 __skb_gso_segment+0x1e8/0x3c0
 validate_xmit_skb+0x452/0x890
 validate_xmit_skb_list+0x99/0xd0
 sch_direct_xmit+0x294/0x7c0
 __dev_queue_xmit+0x16f0/0x1d70
 packet_xmit+0x185/0x210
 packet_snd+0xc15/0x1170
 packet_sendmsg+0x7b/0xa0
 sock_sendmsg+0x14f/0x160

The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.

nsh_gso_segment
    nhoff = skb->network_header - skb->mac_header;
    __skb_pull(skb,nsh_len)
    skb_mac_gso_segment
        mpls_gso_segment
            skb_reset_network_header(skb);//skb->network_header+=nsh_len
            return -EINVAL;
    skb_gso_error_unwind
        skb_push(skb, nsh_len);
        skb->mac_header = skb->network_header - nhoff;
        // skb->mac_header > skb->headroom, cause skb_push panic

Use correct mac_offset to restore mac_header and get rid of nhoff.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 11

CNA 2 VulnDex Vulnerability Enrichment 9

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < 2f88c8d38ecf5ed0273f99a067246899ba499eb2

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < d2309e0cb27b6871b273fbc1725e93be62570d86

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < 435855b0831b351cb72cb38369ee33122ce9574c

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < 02b20e0bc0c2628539e9e518dc342787c3332de2

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < cdd8160dcda1fed2028a5f96575a84afc23aff7d

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < 6fbedf987b6b8ed54a50e2205d998eb2c8be72f9

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < cb38e62922aa3991793344b5a5870e7291c74a44

Status affected

Version c411ed854584a71b0e86ac3019b60e4789d88086

Version < c83b49383b595be50647f0c764a48c78b5f3c4f8

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 4.14

Status affected

Version 0

Version < 4.14

Status unaffected

Version <= 4.14.*

Version 4.14.316

Status unaffected

Version <= 4.19.*

Version 4.19.284

Status unaffected

Version <= 5.4.*

Version 5.4.244

Status unaffected

Version <= 5.10.*

Version 5.10.181

Status unaffected

Version <= 5.15.*

Version 5.15.113

Status unaffected

Version <= 6.1.*

Version 6.1.30

Status unaffected

Version <= 6.3.*

Version 6.3.4

Status unaffected

Version <= *

Version 6.4

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.144

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2

https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86

https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c

https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2

https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d

https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9

https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44

https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8

https://nvd.nist.gov/vuln/detail/CVE-2023-54114

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-54114

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-54114

EUVD