CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2023-52577: dccp: fix dccp_v4_err()/dccp_v6_err() again

Description

In the Linux kernel, the following vulnerability has been resolved:

dccp: fix dccp_v4_err()/dccp_v6_err() again

dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr",
not in the "byte 7" as Jann claimed.

We need to make sure the ICMP messages are big enough,
using more standard ways (no more assumptions).

syzbot reported:
BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]
BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
pskb_may_pull include/linux/skbuff.h:2681 [inline]
dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867
icmpv6_rcv+0x19d5/0x30d0
ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
NF_HOOK include/linux/netfilter.h:304 [inline]
ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:304 [inline]
ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
netif_receive_skb_internal net/core/dev.c:5723 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5782
tun_rx_batched+0x83b/0x920
tun_get_user+0x564...

Classification

CVE ID: CVE-2023-52577

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.06% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/4600beae416d754a3cedbb1ecea8181ec05073b6
https://git.kernel.org/stable/c/62c218124fe58372e0e1f60d5b634d21c264b337
https://git.kernel.org/stable/c/a6f4d582e25d512c9b492670b6608436694357b3
https://git.kernel.org/stable/c/60d73c62e3e4464f375758b6f2459c13d46465b6
https://git.kernel.org/stable/c/26df9ab5de308caa1503d937533c56c35793018d
https://git.kernel.org/stable/c/73be49248a04746096339a48a33fa2f03bd85969
https://git.kernel.org/stable/c/1512d8f45d3c5d0b5baa00bd8e600492fa569f40
https://git.kernel.org/stable/c/6af289746a636f71f4c0535a9801774118486c7a

Timeline