CVE-2023-54206 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d
https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: fix filter idr initialization The cited commit moved idr initialization too early in fl_change() which allows concurrent users to access the filter that is still being initialized and is in inconsistent state, which, in turn, can cause NULL pointer dereference [0]. Since there is no obvious way to fix the ordering without reverting the whole cited commit, alternative approach taken to first insert NULL pointer into idr in order to allocate the handle but still cause fl_get() to return NULL and prevent concurrent users from seeing the filter while providing miss-to-action infrastructure with valid handle id early in fl_change(). [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5 [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower] [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57 [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246 [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900 [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240 [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900 [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738 [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000 [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0 [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.453588] Call Trace: [ 152.454032] <TASK> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0 [ 152.455109] ? sock_sendmsg+0xc5/0x190 [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0 [ 152.456320] ? ___sys_sendmsg+0xeb/0x170 [ 152.456916] ? do_syscall_64+0x3d/0x90 [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.458321] ? ___sys_sendmsg+0xeb/0x170 [ 152.458958] ? __sys_sendmsg+0xb5/0x140 [ 152.459564] ? do_syscall_64+0x3d/0x90 [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower] [ 152.461710] ? _raw_spin_lock+0x7a/0xd0 [ 152.462299] ? _raw_read_lock_irq+0x30/0x30 [ 152.462924] ? nla_put+0x15e/0x1c0 [ 152.463480] fl_dump+0x228/0x650 [cls_flower] [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower] [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330 [ 152.465592] ? nla_put+0x15e/0x1c0 [ 152.466160] tcf_fill_node+0x515/0x9a0 [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0 [ 152.467463] ? __alloc_skb+0x13c/0x2a0 [ 152.468067] ? __build_skb_around+0x330/0x330 [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower] [ 152.469503] tc_del_tfilter+0x718/0x1330 [ 152.470115] ? is_bpf_text_address+0xa/0x20 [ 152.470765] ? tc_ctl_chain+0xee0/0xee0 [ 152.471335] ? __kernel_text_address+0xe/0x30 [ 152.471948] ? unwind_get_return_address+0x56/0xa0 [ 152.472639] ? __thaw_task+0x150/0x150 [ 152.473218] ? arch_stack_walk+0x98/0xf0 [ 152.473839] ? __stack_depot_save+0x35/0x4c0 [ 152.474501] ? stack_trace_save+0x91/0xc0 [ 152.475119] ? security_capable+0x51/0x90 [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0 [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 152.477042] ---truncated---
Title		net/sched: flower: fix filter idr initialization
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54206", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.499Z", "datePublished": "2025-12-30T12:11:05.945Z", "dateUpdated": "2025-12-30T12:11:05.945Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:11:05.945Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: fix filter idr initialization\n\nThe cited commit moved idr initialization too early in fl_change() which\nallows concurrent users to access the filter that is still being\ninitialized and is in inconsistent state, which, in turn, can cause NULL\npointer dereference [0]. Since there is no obvious way to fix the ordering\nwithout reverting the whole cited commit, alternative approach taken to\nfirst insert NULL pointer into idr in order to allocate the handle but\nstill cause fl_get() to return NULL and prevent concurrent users from\nseeing the filter while providing miss-to-action infrastructure with valid\nhandle id early in fl_change().\n\n[ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\n[ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5\n[ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]\n[ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57\n[ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246\n[ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900\n[ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240\n[ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900\n[ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738\n[ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000\n[ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0\n[ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 152.453588] Call Trace:\n[ 152.454032] <TASK>\n[ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0\n[ 152.455109] ? sock_sendmsg+0xc5/0x190\n[ 152.455689] ? ____sys_sendmsg+0x535/0x6b0\n[ 152.456320] ? ___sys_sendmsg+0xeb/0x170\n[ 152.456916] ? do_syscall_64+0x3d/0x90\n[ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.458321] ? ___sys_sendmsg+0xeb/0x170\n[ 152.458958] ? __sys_sendmsg+0xb5/0x140\n[ 152.459564] ? do_syscall_64+0x3d/0x90\n[ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]\n[ 152.461710] ? _raw_spin_lock+0x7a/0xd0\n[ 152.462299] ? _raw_read_lock_irq+0x30/0x30\n[ 152.462924] ? nla_put+0x15e/0x1c0\n[ 152.463480] fl_dump+0x228/0x650 [cls_flower]\n[ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower]\n[ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330\n[ 152.465592] ? nla_put+0x15e/0x1c0\n[ 152.466160] tcf_fill_node+0x515/0x9a0\n[ 152.466766] ? tc_setup_offload_action+0xf0/0xf0\n[ 152.467463] ? __alloc_skb+0x13c/0x2a0\n[ 152.468067] ? __build_skb_around+0x330/0x330\n[ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower]\n[ 152.469503] tc_del_tfilter+0x718/0x1330\n[ 152.470115] ? is_bpf_text_address+0xa/0x20\n[ 152.470765] ? tc_ctl_chain+0xee0/0xee0\n[ 152.471335] ? __kernel_text_address+0xe/0x30\n[ 152.471948] ? unwind_get_return_address+0x56/0xa0\n[ 152.472639] ? __thaw_task+0x150/0x150\n[ 152.473218] ? arch_stack_walk+0x98/0xf0\n[ 152.473839] ? __stack_depot_save+0x35/0x4c0\n[ 152.474501] ? stack_trace_save+0x91/0xc0\n[ 152.475119] ? security_capable+0x51/0x90\n[ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0\n[ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[ 152.477042]\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flower.c"], "versions": [{"version": "08a0063df3aed8d76a4034279117db12dbc1050f", "lessThan": "253a3a324e0ebc2825de76a0f5f17b8383b2023d", "status": "affected", "versionType": "git"}, {"version": "08a0063df3aed8d76a4034279117db12dbc1050f", "lessThan": "dd4f6bbfa646f258e5bcdfac57a5c413d687f588", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/cls_flower.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.3", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d"}, {"url": "https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588"}], "title": "net/sched: flower: fix filter idr initialization", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: fix filter idr initialization\n\nThe cited commit moved idr initialization too early in fl_change() which\nallows concurrent users to access the filter that is still being\ninitialized and is in inconsistent state, which, in turn, can cause NULL\npointer dereference [0]. Since there is no obvious way to fix the ordering\nwithout reverting the whole cited commit, alternative approach taken to\nfirst insert NULL pointer into idr in order to allocate the handle but\nstill cause fl_get() to return NULL and prevent concurrent users from\nseeing the filter while providing miss-to-action infrastructure with valid\nhandle id early in fl_change().\n\n[ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\n[ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n[ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5\n[ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower]\n[ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57\n[ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246\n[ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900\n[ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240\n[ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900\n[ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738\n[ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000\n[ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0\n[ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 152.453588] Call Trace:\n[ 152.454032] <TASK>\n[ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0\n[ 152.455109] ? sock_sendmsg+0xc5/0x190\n[ 152.455689] ? ____sys_sendmsg+0x535/0x6b0\n[ 152.456320] ? ___sys_sendmsg+0xeb/0x170\n[ 152.456916] ? do_syscall_64+0x3d/0x90\n[ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.458321] ? ___sys_sendmsg+0xeb/0x170\n[ 152.458958] ? __sys_sendmsg+0xb5/0x140\n[ 152.459564] ? do_syscall_64+0x3d/0x90\n[ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0\n[ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower]\n[ 152.461710] ? _raw_spin_lock+0x7a/0xd0\n[ 152.462299] ? _raw_read_lock_irq+0x30/0x30\n[ 152.462924] ? nla_put+0x15e/0x1c0\n[ 152.463480] fl_dump+0x228/0x650 [cls_flower]\n[ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower]\n[ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330\n[ 152.465592] ? nla_put+0x15e/0x1c0\n[ 152.466160] tcf_fill_node+0x515/0x9a0\n[ 152.466766] ? tc_setup_offload_action+0xf0/0xf0\n[ 152.467463] ? __alloc_skb+0x13c/0x2a0\n[ 152.468067] ? __build_skb_around+0x330/0x330\n[ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower]\n[ 152.469503] tc_del_tfilter+0x718/0x1330\n[ 152.470115] ? is_bpf_text_address+0xa/0x20\n[ 152.470765] ? tc_ctl_chain+0xee0/0xee0\n[ 152.471335] ? __kernel_text_address+0xe/0x30\n[ 152.471948] ? unwind_get_return_address+0x56/0xa0\n[ 152.472639] ? __thaw_task+0x150/0x150\n[ 152.473218] ? arch_stack_walk+0x98/0xf0\n[ 152.473839] ? __stack_depot_save+0x35/0x4c0\n[ 152.474501] ? stack_trace_save+0x91/0xc0\n[ 152.475119] ? security_capable+0x51/0x90\n[ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0\n[ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0\n[ 152.477042]\n---truncated---"}], "id": "CVE-2023-54206", "lastModified": "2025-12-30T13:16:08.750", "metrics": {}, "published": "2025-12-30T13:16:08.750", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object