CVE-2023-54114

Vulnerability

Analysis

The vulnerability resides in the Linux kernel's NSH (Network Service Header) GSO (Generic Segmentation Offload) implementation. In nsh_gso_segment(), the function calculates an offset (nhoff) as skb->network_header - skb->mac_header to later restore the MAC header if inner-layer GSO processing fails. However, when an inner protocol like MPLS calls skb_reset_network_header(), the skb->network_header is advanced, making the saved nhoff invalid. The subsequent skb_gso_error_unwind() uses this stale offset to set skb->mac_header, which can exceed the skb headroom, leading to a kernel panic via skb_push() [1].

Exploitation

An attacker can trigger this bug by sending a crafted packet that causes GSO processing to fail in the NSH layer to fail during inner protocol processing. The attack requires the ability to send packets to a vulnerable system, typically from a local or adjacent network. No authentication is needed, as the vulnerability is triggered during packet processing in the kernel's networking stack. The crash is reproducible with a syzkaller-generated packet, as shown in the kernel bug report [1].

Impact

Successful exploitation results in a kernel panic (denial of type invalid opcode), leading to a denial of service (DoS) on the affected system. The crash occurs in skb_panic() due to an invalid MAC header offset, causing the system to become unresponsive or reboot. There is no evidence of memory corruption or privilege escalation from this bug; the primary impact is system availability.

Mitigation

The fix is to use the correct mac_offset (stored before any header modifications) instead of recalculating from network_header. The patch has been applied to the Linux kernel stable branches, as referenced in commits [1], [2], and [3]. Users should update their kernel to a version containing the fix. No workaround is available; the vulnerability is resolved by applying the kernel patch.