CVE-2023-54114

In the Linux kernel, the following vulnerability has been resolved:

net: nsh: Use correct macoffset to unwind gso skb in nshgso_segment()

As the call trace shows, skbpanic was caused by wrong skb->macheader in nshgsosegment():

invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skbpanic+0xda/0xe0 call Trace: skbpush+0x91/0xa0 nshgsosegment+0x4f3/0x570 skbmacgso_segment+0x19e/0x270 __skbgsosegment+0x1e8/0x3c0 validatexmitskb+0x452/0x890 validatexmitskblist+0x99/0xd0 schdirect_xmit+0x294/0x7c0 __devqueuexmit+0x16f0/0x1d70 packetxmit+0x185/0x210 packetsnd+0xc15/0x1170 packetsendmsg+0x7b/0xa0 socksendmsg+0x14f/0x160

The root cause is: nshgsosegment() use skb->networkheader - nhoff to reset macheader in skbgsoerrorunwind() if inner-layer protocol gso fails. However, skb->networkheader may be reset by inner-layer protocol gso function e.g. mplsgsosegment. skb->macheader reset by the inaccurate networkheader will be larger than skb headroom.

nshgsosegment nhoff = skb->networkheader - skb->macheader; _skbpull(skb,nshlen) skbmacgsosegment mplsgsosegment skbresetnetworkheader(skb);//skb->networkheader+=nshlen return -EINVAL; skbgsoerrorunwind skbpush(skb, nshlen); skb->macheader = skb->networkheader - nhoff; // skb->macheader > skb->headroom, cause skbpush panic

Use correct macoffset to restore macheader and get rid of nhoff.