Skip to content

[ciqlts8 6] CVE 2023 53354 #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
roxanan1996 wants to merge 3 commits into
base: ciqlts8_6
Choose a base branch
from
Open

[ciqlts8 6] CVE 2023 53354 #765

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
87ce0e2
net: Pass NULL to skb_network_protocol() when we don't care about vla…
roxanan1996 Dec 5, 2025
bcf7d6d
net: gso: fix panic on frag_list with mixed head alloc types
roxanan1996 Dec 5, 2025
e3989e6
skbuff: skb_segment, Call zero copy functions before using skbuff frags
roxanan1996 Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 41 additions & 34 deletions net/core/skbuff.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3864,44 +3864,44 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
struct sk_buff *segs = NULL;
struct sk_buff *tail = NULL;
struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
skb_frag_t *frag = skb_shinfo(head_skb)->frags;
unsigned int mss = skb_shinfo(head_skb)->gso_size;
unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
struct sk_buff *frag_skb = head_skb;
unsigned int offset = doffset;
unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
unsigned int partial_segs = 0;
unsigned int headroom;
unsigned int len = head_skb->len;
struct sk_buff *frag_skb;
skb_frag_t *frag;
__be16 proto;
bool csum, sg;
int nfrags = skb_shinfo(head_skb)->nr_frags;
int err = -ENOMEM;
int i = 0;
int pos;
int dummy;

if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) &&
(skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) {
/* gso_size is untrusted, and we have a frag_list with a linear
* non head_frag head.
*
* (we assume checking the first list_skb member suffices;
* i.e if either of the list_skb members have non head_frag
* head, then the first one has too).
*
* If head_skb's headlen does not fit requested gso_size, it
* means that the frag_list members do NOT terminate on exact
* gso_size boundaries. Hence we cannot perform skb_frag_t page
* sharing. Therefore we must fallback to copying the frag_list
* skbs; we do so by disabling SG.
*/
if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb))
features &= ~NETIF_F_SG;
int nfrags, pos;

if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
struct sk_buff *check_skb;

for (check_skb = list_skb; check_skb; check_skb = check_skb->next) {
if (skb_headlen(check_skb) && !check_skb->head_frag) {
/* gso_size is untrusted, and we have a frag_list with
* a linear non head_frag item.
*
* If head_skb's headlen does not fit requested gso_size,
* it means that the frag_list members do NOT terminate
* on exact gso_size boundaries. Hence we cannot perform
* skb_frag_t page sharing. Therefore we must fallback to
* copying the frag_list skbs; we do so by disabling SG.
*/
features &= ~NETIF_F_SG;
break;
}
}
}

__skb_push(head_skb, doffset);
proto = skb_network_protocol(head_skb, &dummy);
proto = skb_network_protocol(head_skb, NULL);
if (unlikely(!proto))
return ERR_PTR(-EINVAL);

Expand Down Expand Up @@ -3954,6 +3954,13 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
headroom = skb_headroom(head_skb);
pos = skb_headlen(head_skb);

if (skb_orphan_frags(head_skb, GFP_ATOMIC))
return ERR_PTR(-ENOMEM);

nfrags = skb_shinfo(head_skb)->nr_frags;
frag = skb_shinfo(head_skb)->frags;
frag_skb = head_skb;

do {
struct sk_buff *nskb;
skb_frag_t *nskb_frag;
Expand All @@ -3978,6 +3985,10 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
(skb_headlen(list_skb) == len || sg)) {
BUG_ON(skb_headlen(list_skb) > len);

nskb = skb_clone(list_skb, GFP_ATOMIC);
if (unlikely(!nskb))
goto err;

i = 0;
nfrags = skb_shinfo(list_skb)->nr_frags;
frag = skb_shinfo(list_skb)->frags;
Expand All @@ -3996,12 +4007,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
frag++;
}

nskb = skb_clone(list_skb, GFP_ATOMIC);
list_skb = list_skb->next;

if (unlikely(!nskb))
goto err;

if (unlikely(pskb_trim(nskb, len))) {
kfree_skb(nskb);
goto err;
Expand Down Expand Up @@ -4066,12 +4073,16 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
SKBTX_SHARED_FRAG;

if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
goto err;

while (pos < offset + len) {
if (i >= nfrags) {
if (skb_orphan_frags(list_skb, GFP_ATOMIC) ||
skb_zerocopy_clone(nskb, list_skb,
GFP_ATOMIC))
goto err;

i = 0;
nfrags = skb_shinfo(list_skb)->nr_frags;
frag = skb_shinfo(list_skb)->frags;
Expand All @@ -4085,10 +4096,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
i--;
frag--;
}
if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
skb_zerocopy_clone(nskb, frag_skb,
GFP_ATOMIC))
goto err;

list_skb = list_skb->next;
}
Expand Down