CVE-2023-53365

In the Linux kernel, the following vulnerability has been resolved:

ip6mr: Fix skbunderpanic in ip6mrcachereport()

skbuff: skbunderpanic: text:ffffffff88771f69 len:56 put:-4 head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:192! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b571a #236 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: ipv6addrconf addrconfdadwork RIP: 0010:skbpanic+0x152/0x1d0 Call Trace: <TASK> skbpush+0xc4/0xe0 ip6mrcachereport+0xd69/0x19b0 regvifxmit+0x406/0x690 devhardstartxmit+0x17e/0x6e0 __devqueuexmit+0x2d6a/0x3d20 vlan_devhardstartxmit+0x3ab/0x5c0 devhardstartxmit+0x17e/0x6e0 __devqueuexmit+0x2d6a/0x3d20 neighconnectedoutput+0x3ed/0x570 ip6finishoutput2+0x5b5/0x1950 ip6finishoutput+0x693/0x11c0 ip6output+0x24b/0x880 NFHOOK.constprop.0+0xfd/0x530 ndiscsendskb+0x9db/0x1400 ndiscsendrs+0x12a/0x6c0 addrconfdadcompleted+0x3c9/0xea0 addrconfdadwork+0x849/0x1420 processonework+0xa22/0x16e0 workerthread+0x679/0x10c0 retfromfork+0x28/0x60 retfromforkasm+0x11/0x20

When setup a vlan device on dev pim6reg, DAD ns packet may sent on regvifxmit(). regvifxmit() ip6mrcachereport() skbpush(skb, -skbnetworkoffset(pkt));//skbnetworkoffset(pkt) is 4 And skbpush declared as: void *skbpush(struct skbuff *skb, unsigned int len); skb->data -= len; //0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850 skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.