CVE-2023-52610 in Linux
Summary
by MITRE • 03/18/2024
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: fix skb leak and crash on ooo frags
act_ct adds skb->users before defragmentation. If frags arrive in order, the last frag's reference is reset in:
inet_frag_reasm_prepare skb_morph
which is not straightforward.
However when frags arrive out of order, nobody unref the last frag, and all frags are leaked. The situation is even worse, as initiating packet capture can lead to a crash[0] when skb has been cloned and shared at the
same time.
Fix the issue by removing skb_get() before defragmentation. act_ct returns TC_ACT_CONSUMED when defrag failed or in progress.
[0]:
[ 843.804823] ------------[ cut here ]------------
[ 843.809659] kernel BUG at net/core/skbuff.c:2091!
[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP
[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2
[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022
[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300
[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89
[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202
[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820
[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00
[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000
[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880
[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900
[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000
[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0
[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 843.894229] PKRU: 55555554
[ 843.898539] Call Trace:
[ 843.902772]
[ 843.906922] ? __die_body+0x1e/0x60
[ 843.911032] ? die+0x3c/0x60
[ 843.915037] ? do_trap+0xe2/0x110
[ 843.918911] ? pskb_expand_head+0x2ac/0x300
[ 843.922687] ? do_error_trap+0x65/0x80
[ 843.926342] ? pskb_expand_head+0x2ac/0x300
[ 843.929905] ? exc_invalid_op+0x50/0x60
[ 843.933398] ? pskb_expand_head+0x2ac/0x300
[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20
[ 843.940226] ? pskb_expand_head+0x2ac/0x300
[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240
[ 843.946904] ip_defrag+0x5d4/0x870
[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]
[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]
[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]
[ 843.959657] tcf_action_exec+0xa1/0x160
[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]
[ 843.966010] ? skb_clone+0x53/0xc0
[ 843.969173] tcf_classify+0x24d/0x420
[ 843.972333] tc_run+0x8f/0xf0
[ 843.975465] __netif_receive_skb_core+0x67a/0x1080
[ 843.978634] ? dev_gro_receive+0x249/0x730
[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260
[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0
[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]
[ 843.991170] napi_complete_done+0x72/0x1a0
[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]
[ 843.997501] __napi_poll+0x25/0x1b0
[ 844.000627] net_rx_action+0x256/0x330
[ 844.003705] __do_softirq+0xb3/0x29b
[ 844.006718] irq_exit_rcu+0x9e/0xc0
[ 844.009672] common_interrupt+0x86/0xa0
[ 844.012537]
[ 844.015285]
[ 844.017937] asm_common_interrupt+0x26/0x40
[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20
[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb
---truncated---
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/11/2025
The vulnerability described in CVE-2023-52610 resides within the Linux kernel's net/sched/act_ct subsystem, specifically affecting the connection tracking functionality. This issue manifests as a memory leak and potential system crash when handling out-of-order packet fragments. The flaw stems from improper reference counting of socket buffer (skb) structures during the defragmentation process. When fragments arrive in order, the system correctly manages reference counts through inet_frag_reasm_prepare, which uses skb_morph to reset the last fragment's reference. However, when fragments arrive out-of-order, the reference count management fails, leading to memory leaks where all fragments remain unreferenced and thus cannot be freed. The problem is exacerbated when packet capture is initiated, as the system attempts to expand the skb header while the packet is simultaneously cloned and shared, triggering a kernel BUG at net/core/skbuff.c:2091. This results in an invalid opcode execution, causing system instability and potential denial of service.
The technical root cause of this vulnerability aligns with CWE-401, which addresses improper management of memory allocation and deallocation. The flaw demonstrates a classic case of resource leak where the act_ct module incorrectly handles reference counting before defragmentation operations. The improper handling of shared skb structures creates a condition where multiple references exist to the same memory region, violating kernel memory safety principles. The crash occurs because pskb_expand_head attempts to modify a shared skb structure, which is not permitted under kernel memory management rules. The call trace shows the execution path leading to the failure through inet_frag_reasm_prepare, ip_defrag, and ultimately tcf_ct_act, indicating that the issue propagates through the traffic control and connection tracking subsystems.
This vulnerability presents a significant operational impact as it can lead to system instability and denial of service conditions. Attackers could potentially exploit this by sending carefully crafted packets with out-of-order fragments to trigger memory leaks and system crashes. The vulnerability affects systems using the Linux kernel's traffic control subsystem with connection tracking enabled, which is common in network infrastructure devices, firewalls, and routers. The memory leak aspect can gradually consume system resources, leading to performance degradation or complete system exhaustion. The crash condition poses a direct threat to system availability, particularly in environments where continuous network operation is critical. The issue is particularly concerning in high-throughput network environments where packet fragmentation is common, such as in data center networking or wireless communications.
Mitigation strategies for this vulnerability should focus on applying the kernel patch that removes the skb_get() call before defragmentation in the act_ct module. This ensures that proper reference counting is maintained throughout the defragmentation process regardless of fragment ordering. System administrators should prioritize updating to kernel versions that include this fix, particularly in production environments where network reliability is paramount. Monitoring for unusual memory consumption patterns or system crashes in network infrastructure devices can help detect exploitation attempts. Additional defensive measures include implementing network segmentation and traffic filtering to limit exposure to potentially malicious packet flows. The fix aligns with ATT&CK technique T1499.004, which involves resource exhaustion through memory leaks, and represents a critical patch management requirement for maintaining kernel security hygiene. Organizations should also consider implementing automated patch management systems to ensure timely deployment of security fixes across all network infrastructure components.