Bug 2257979 (CVE-2023-52340) - CVE-2023-52340 kernel: ICMPv6 “Packet Too Big” packets force a DoS of the Linux kernel by forcing 100% CPU
Summary: CVE-2023-52340 kernel: ICMPv6 “Packet Too Big” packets force a DoS of the Lin...
Keywords:
Status: NEW
Alias: CVE-2023-52340
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2260726
Blocks: 2257965
TreeView+ depends on / blocked
 
Reported: 2024-01-11 22:16 UTC by Robb Gatica
Modified: 2024-05-28 14:49 UTC (History)
53 users (show)

Fixed In Version: kernel 6.3-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw in the routing table size was found in the ICMPv6 handling of "Packet Too Big". The size of the routing table is regulated by periodic garbage collection. However, with "Packet Too Big Messages" it is possible to exceed the routing table size and garbage collector threshold. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2950 0 None None None 2024-05-22 09:13:21 UTC
Red Hat Product Errata RHSA-2024:3138 0 None None None 2024-05-22 09:52:48 UTC

Description Robb Gatica 2024-01-11 22:16:37 UTC
A flaw in the Linux Kernel found. When a router encounters an IPv6 packet too big to transmit to the next-hop, it returns an ICMP6 "Packet Too Big" (PTB) message to the sender. The sender caches this updated Maximum Transmission Unit (MTU) so it knows not to exceed this value when subsequently routing to the same host.
In Linux kernels prior to 6.3, garbage collection is run on the IPv6 Destination Route Cache if the number of entries exceeds a threshold when adding the destination to the cache. This garbage collection examines every entry in the cache while holding a lock. In these affected kernel versions, a flood of the IPv6 ICMP6 PTB messages could cause high lock contention and increased CPU usage, leading to a Denial-of-Service.

The fix backports the garbage collection improvements from Linux kernel 6.3 by bringing the IPv6 code closer to the IPv4 code, which does not have this issue.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=af6d10345ca76670c1b7c37799f0d5576ccef277
https://alas.aws.amazon.com/cve/html/CVE-2023-52340.html

Comment 8 Alex 2024-01-28 09:23:37 UTC
Additional info:

ICMP6 “Packet Too Big” packets force a DoS of the Linux kernel by forcing 100% CPU utilization.

ICMP6 “Packet Too Big” Messages can force 100% CPU utilization in network IRQ threads within the Linux kernel on robust systems. When the ICMP6 Packet Too Big messages are received by a host, the Linux kernel will cache the destination information from the packet headers in the routing table to segment or fragment packets to a size that falls within the path MTU reported by the PTB. The Linux kernel garbage collection periodically runs to remove stale routes from the table to prevent the table from becoming oversized. During the handling of the ICMP6 Packet Too Big Messages, the routing table size can exceed the garbage collector threshold which is typically 1024. When the garbage collector threshold is exceeded, the Linux kernel will execute ip6_dst_gc(). In the event that the table exceeds the rt_max_size of 4096, the kernel will initiate the garbage collector function fib6_run_gc() with the force argument set to true. The fib6_run_gc() will obtain the spin lock, spin_lock_bh, and block the Linux kernel from writing additional details to the route table, regardless of the previous garbage collector iterations or if it is needed. In an effort to bypass the garbage collector block, the Linux kernel will raise an exception, rt6_insert_exception(), to continue to write to the route table but the function will obtain the global spin lock, spin_lock_bh(&rt6_exception_lock), which further blocks linux processes. The continue blocking behavior from the garbage collector and route table insert exception leads to a 100% CPU utilization since the queues are full during the execution of fib6_run_gc().

Comment 11 Alex 2024-01-28 09:39:45 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2260726]

Comment 15 Justin M. Forbes 2024-01-29 18:24:15 UTC
This was fixed for Fedora with the 6.3 stable kernel rebases.

Comment 17 errata-xmlrpc 2024-05-22 09:13:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950

Comment 18 errata-xmlrpc 2024-05-22 09:52:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138


Note You need to log in before you can comment on or make changes to this bug.