CVE-2023-53578
- Source
- https://cve.org/CVERecord?id=CVE-2023-53578
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53578.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53578
- Downstream
- Related
- Published
- 2025-10-04T15:17:17.350Z
- Modified
- 2026-05-13T03:52:43.123842466Z
- Summary
- net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: Fix an uninit variable access bug in qrtrtxresume()
Syzbot reported a bug as following:
===================================================== BUG: KMSAN: uninit-value in qrtrtxresume+0x185/0x1f0 net/qrtr/afqrtr.c:230 qrtrtxresume+0x185/0x1f0 net/qrtr/afqrtr.c:230 qrtrendpointpost+0xf85/0x11b0 net/qrtr/afqrtr.c:519 qrtrtunwriteiter+0x270/0x400 net/qrtr/tun.c:108 callwriteiter include/linux/fs.h:2189 [inline] aiowrite+0x63a/0x950 fs/aio.c:1600 iosubmit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd
Uninit was created at: slabpostallochook mm/slab.h:766 [inline] slaballoc_node mm/slub.c:3452 [inline] __kmemcachealloc_node+0x71f/0xce0 mm/slub.c:3491 __dokmallocnode mm/slab_common.c:967 [inline] __kmallocnodetrackcaller+0x114/0x3b0 mm/slabcommon.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 __netdevallocskb+0x120/0x7d0 net/core/skbuff.c:630 qrtrendpointpost+0xbd/0x11b0 net/qrtr/afqrtr.c:446 qrtrtunwriteiter+0x270/0x400 net/qrtr/tun.c:108 callwriteiter include/linux/fs.h:2189 [inline] aiowrite+0x63a/0x950 fs/aio.c:1600 iosubmit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd
It is because that skb->len requires at least sizeof(struct qrtrctrlpkt) in qrtrtxresume(). And skb->len equals to size in qrtrendpointpost(). But size is less than sizeof(struct qrtrctrlpkt) when qrtrcb->type equals to QRTRTYPERESUMETX in qrtrendpointpost() under the syzbot scenario. This triggers the uninit variable access bug.
Add size check when qrtrcb->type equals to QRTRTYPERESUMETX in qrtrendpointpost() to fix the bug.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53578.json" }- References
-
- https://git.kernel.org/stable/c/3814d211ff13ee35f2d9437439a6c7df58524137
- https://git.kernel.org/stable/c/6417070918de3bcdbe0646e7256dae58fd8083ba
- https://git.kernel.org/stable/c/8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4
- https://git.kernel.org/stable/c/bef57c227b52c2bde00fad33556175d36d12cfa0
- https://git.kernel.org/stable/c/c6a796ee5a639ffb83c6e5469408cc2ec16cac6a
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53578.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53578
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced5fdeb0d372ab33b4175043a2a4a1730239a217f1Fixed3814d211ff13ee35f2d9437439a6c7df58524137Fixedc6a796ee5a639ffb83c6e5469408cc2ec16cac6aFixedbef57c227b52c2bde00fad33556175d36d12cfa0Fixed8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4Fixed6417070918de3bcdbe0646e7256dae58fd8083ba