CVE-2023-52745 in Linux
Summary
by MITRE • 05/21/2024
In the Linux kernel, the following vulnerability has been resolved:
IB/IPoIB: Fix legacy IPoIB due to wrong number of queues
The cited commit creates child PKEY interfaces over netlink will multiple tx and rx queues, but some devices doesn't support more than 1 tx and 1 rx queues. This causes to a crash when traffic is sent over the PKEY interface due to the parent having a single queue but the child having multiple queues.
This patch fixes the number of queues to 1 for legacy IPoIB at the earliest possible point in time.
BUG: kernel NULL pointer dereference, address: 000000000000036b PGD 0 P4D 0 Oops: 0000 [#1] SMP
CPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc+0xcb/0x450 Code: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a 01 49 8b 3c 24 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b RSP: 0018:ffff88822acbbab8 EFLAGS: 00010202 RAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae RDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00 RBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40 R10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000 R13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000 FS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_clone+0x55/0xd0 ip6_finish_output2+0x3fe/0x690 ip6_finish_output+0xfa/0x310 ip6_send_skb+0x1e/0x60 udp_v6_send_skb+0x1e5/0x420 udpv6_sendmsg+0xb3c/0xe60 ? ip_mc_finish_output+0x180/0x180 ? __switch_to_asm+0x3a/0x60 ? __switch_to_asm+0x34/0x60 sock_sendmsg+0x33/0x40 __sys_sendto+0x103/0x160 ? _copy_to_user+0x21/0x30 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_ts64+0x49/0xe0 __x64_sys_sendto+0x25/0x30 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f9374f1ed14 Code: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b RSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14 RDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030 RBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2025
The vulnerability CVE-2023-52745 affects the Linux kernel's InfiniBand over IP (IPoIB) implementation, specifically impacting legacy IPoIB interfaces that are created via netlink. The issue stems from a mismatch in queue configuration where child PKEY interfaces are initialized with multiple transmit and receive queues, while certain hardware devices only support a single transmit and single receive queue. This discrepancy leads to a kernel NULL pointer dereference when traffic is transmitted over the PKEY interface, causing a system crash. The error occurs because the parent interface operates with a single queue configuration, but the child interface is created with multiple queues, creating a scenario where memory allocation attempts fail due to inconsistent queue handling.
The technical flaw manifests in the kernel's network subsystem when processing IPoIB traffic, particularly during packet transmission. The kernel's memory management function kmem_cache_alloc is invoked with invalid parameters, leading to the NULL pointer dereference at address 0x000000000000036b. This memory access violation occurs during the skb_clone operation within the IPv6 output processing chain, specifically in the ip6_finish_output2 function. The crash is triggered when the kernel attempts to handle UDP traffic through the malformed IPoIB interface, with the call trace showing the execution path from user-space socket operations through the kernel's network stack to the memory allocation failure. The root cause is the improper initialization of queue counts during the creation of child PKEY interfaces, where the system fails to account for hardware limitations.
The operational impact of this vulnerability is significant for systems utilizing InfiniBand networks with IPoIB interfaces, particularly those running Linux kernel versions that include the affected code path. Systems experiencing this crash will suffer from kernel panics and complete service disruption, requiring system reboot to restore functionality. The vulnerability affects any environment where legacy IPoIB interfaces are used with hardware that does not support multiple queue configurations, making it particularly relevant for data center and high-performance computing environments that rely on InfiniBand networking. The crash occurs during normal network traffic processing, meaning the vulnerability can be exploited through routine network operations without requiring special privileges or conditions.
The fix implemented in this patch addresses the issue by setting the number of queues to one for legacy IPoIB interfaces at the earliest possible point in the initialization process. This ensures that all child PKEY interfaces inherit the correct queue configuration that matches the underlying hardware capabilities. The mitigation strategy focuses on preventing the creation of interfaces with incompatible queue configurations, thereby avoiding the memory allocation failures that lead to the NULL pointer dereference. This approach aligns with the principle of least privilege and system stability by ensuring that kernel resources are properly allocated according to hardware constraints. The patch represents a defensive programming fix that prevents configuration mismatches rather than attempting to handle multiple queue scenarios through complex error recovery mechanisms.
This vulnerability maps to CWE-121 in the Common Weakness Enumeration, which describes heap-based buffer overflow conditions that can occur when memory is accessed improperly. The specific weakness manifests as an improper access to memory locations due to incorrect queue count handling in kernel memory management. From an ATT&CK perspective, this vulnerability could be categorized under T1059.001 (Command and Scripting Interpreter: Python) as demonstrated by the crash trace showing python3 as the crashing process, indicating that network traffic from user-space applications can trigger the kernel-level issue. The vulnerability also relates to T1498 (Network Denial of Service) as it can cause complete system crashes through network traffic processing, effectively rendering the affected system unavailable. The fix ensures that the kernel maintains consistency between interface configuration and hardware capabilities, preventing the exploitation of queue configuration mismatches that could lead to system instability or denial of service conditions.