GHSA-V2JM-777X-22HP

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: flower: fix filter idr initialization

The cited commit moved idr initialization too early in fl_change() which allows concurrent users to access the filter that is still being initialized and is in inconsistent state, which, in turn, can cause NULL pointer dereference [0]. Since there is no obvious way to fix the ordering without reverting the whole cited commit, alternative approach taken to first insert NULL pointer into idr in order to allocate the handle but still cause fl_get() to return NULL and prevent concurrent users from seeing the filter while providing miss-to-action infrastructure with valid handle id early in fl_change().

[ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5 [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower] [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57 [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246 [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900 [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240 [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900 [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738 [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000 [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0 [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.453588] Call Trace: [ 152.454032] [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0 [ 152.455109] ? sock_sendmsg+0xc5/0x190 [ 152.455689] ? _syssendmsg+0x535/0x6b0 [ 152.456320] ? _sys_sendmsg+0xeb/0x170 [ 152.456916] ? do_syscall_64+0x3d/0x90 [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.458321] ? syssendmsg+0xeb/0x170 [ 152.458958] ? sys_sendmsg+0xb5/0x140 [ 152.459564] ? do_syscall_64+0x3d/0x90 [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower] [ 152.461710] ? _raw_spin_lock+0x7a/0xd0 [ 152.462299] ? _raw_read_lock_irq+0x30/0x30 [ 152.462924] ? nla_put+0x15e/0x1c0 [ 152.463480] fl_dump+0x228/0x650 [cls_flower] [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower] [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330 [ 152.465592] ? nla_put+0x15e/0x1c0 [ 152.466160] tcf_fill_node+0x515/0x9a0 [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0 [ 152.467463] ? __alloc_skb+0x13c/0x2a0 [ 152.468067] ? __build_skb_around+0x330/0x330 [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower] [ 152.469503] tc_del_tfilter+0x718/0x1330 [ 152.470115] ? is_bpf_text_address+0xa/0x20 [ 152.470765] ? tc_ctl_chain+0xee0/0xee0 [ 152.471335] ? __kernel_text_address+0xe/0x30 [ 152.471948] ? unwind_get_return_address+0x56/0xa0 [ 152.472639] ? __thaw_task+0x150/0x150 [ 152.473218] ? arch_stack_walk+0x98/0xf0 [ 152.473839] ? __stack_depot_save+0x35/0x4c0 [ 152.474501] ? stack_trace_save+0x91/0xc0 [ 152.475119] ? security_capable+0x51/0x90 [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0 [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 152.477042] ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54206"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:08Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: fix filter idr initialization\n\nThe cited commit moved idr initialization too early in fl_change() which\nallows concurrent users to access the filter that is still being\ninitialized and is in inconsistent state, which, in turn, can cause NULL\npointer dereference [0]. Since there is no obvious way to fix the ordering\nwithout reverting the whole cited commit, alternative approach taken to\nfirst insert NULL pointer into idr in order to allocate the handle but\nstill cause fl_get() to return NULL and prevent concurrent users from\nseeing the filter while providing miss-to-action infrastructure with valid\nhandle id early in fl_change().\n\n[  152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\n[  152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[  152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5\n[  152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]\n[  152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 \u003c0f\u003e b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57\n[  152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246\n[  152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[  152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900\n[  152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240\n[  152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900\n[  152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738\n[  152.448756] FS:  00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000\n[  152.449888] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0\n[  152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  152.453588] Call Trace:\n[  152.454032]  \u003cTASK\u003e\n[  152.454447]  ? netlink_sendmsg+0x7a1/0xcb0\n[  152.455109]  ? sock_sendmsg+0xc5/0x190\n[  152.455689]  ? ____sys_sendmsg+0x535/0x6b0\n[  152.456320]  ? ___sys_sendmsg+0xeb/0x170\n[  152.456916]  ? do_syscall_64+0x3d/0x90\n[  152.457529]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  152.458321]  ? ___sys_sendmsg+0xeb/0x170\n[  152.458958]  ? __sys_sendmsg+0xb5/0x140\n[  152.459564]  ? do_syscall_64+0x3d/0x90\n[  152.460122]  ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[  152.460852]  ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]\n[  152.461710]  ? _raw_spin_lock+0x7a/0xd0\n[  152.462299]  ? _raw_read_lock_irq+0x30/0x30\n[  152.462924]  ? nla_put+0x15e/0x1c0\n[  152.463480]  fl_dump+0x228/0x650 [cls_flower]\n[  152.464112]  ? fl_tmplt_dump+0x210/0x210 [cls_flower]\n[  152.464854]  ? __kmem_cache_alloc_node+0x1a7/0x330\n[  152.465592]  ? nla_put+0x15e/0x1c0\n[  152.466160]  tcf_fill_node+0x515/0x9a0\n[  152.466766]  ? tc_setup_offload_action+0xf0/0xf0\n[  152.467463]  ? __alloc_skb+0x13c/0x2a0\n[  152.468067]  ? __build_skb_around+0x330/0x330\n[  152.468814]  ? fl_get+0x107/0x1a0 [cls_flower]\n[  152.469503]  tc_del_tfilter+0x718/0x1330\n[  152.470115]  ? is_bpf_text_address+0xa/0x20\n[  152.470765]  ? tc_ctl_chain+0xee0/0xee0\n[  152.471335]  ? __kernel_text_address+0xe/0x30\n[  152.471948]  ? unwind_get_return_address+0x56/0xa0\n[  152.472639]  ? __thaw_task+0x150/0x150\n[  152.473218]  ? arch_stack_walk+0x98/0xf0\n[  152.473839]  ? __stack_depot_save+0x35/0x4c0\n[  152.474501]  ? stack_trace_save+0x91/0xc0\n[  152.475119]  ? security_capable+0x51/0x90\n[  152.475741]  rtnetlink_rcv_msg+0x2c1/0x9d0\n[  152.476387]  ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[  152.477042]\n---truncated---",
  "id": "GHSA-v2jm-777x-22hp",
  "modified": "2025-12-30T15:30:31Z",
  "published": "2025-12-30T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54206"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.