CVE-2023-53578

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53578
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53578.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53578
Downstream
Related
Published
2025-10-04T15:17:17.350Z
Modified
2026-03-20T12:33:14.061162Z
Summary
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: Fix an uninit variable access bug in qrtrtxresume()

Syzbot reported a bug as following:

===================================================== BUG: KMSAN: uninit-value in qrtrtxresume+0x185/0x1f0 net/qrtr/afqrtr.c:230 qrtrtxresume+0x185/0x1f0 net/qrtr/afqrtr.c:230 qrtrendpointpost+0xf85/0x11b0 net/qrtr/afqrtr.c:519 qrtrtunwriteiter+0x270/0x400 net/qrtr/tun.c:108 callwriteiter include/linux/fs.h:2189 [inline] aiowrite+0x63a/0x950 fs/aio.c:1600 iosubmit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was created at: slabpostallochook mm/slab.h:766 [inline] slaballoc_node mm/slub.c:3452 [inline] __kmemcachealloc_node+0x71f/0xce0 mm/slub.c:3491 __dokmallocnode mm/slab_common.c:967 [inline] __kmallocnodetrackcaller+0x114/0x3b0 mm/slabcommon.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 __netdevallocskb+0x120/0x7d0 net/core/skbuff.c:630 qrtrendpointpost+0xbd/0x11b0 net/qrtr/afqrtr.c:446 qrtrtunwriteiter+0x270/0x400 net/qrtr/tun.c:108 callwriteiter include/linux/fs.h:2189 [inline] aiowrite+0x63a/0x950 fs/aio.c:1600 iosubmit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

It is because that skb->len requires at least sizeof(struct qrtrctrlpkt) in qrtrtxresume(). And skb->len equals to size in qrtrendpointpost(). But size is less than sizeof(struct qrtrctrlpkt) when qrtrcb->type equals to QRTRTYPERESUMETX in qrtrendpointpost() under the syzbot scenario. This triggers the uninit variable access bug.

Add size check when qrtrcb->type equals to QRTRTYPERESUMETX in qrtrendpointpost() to fix the bug.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53578.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5fdeb0d372ab33b4175043a2a4a1730239a217f1
Fixed
3814d211ff13ee35f2d9437439a6c7df58524137
Fixed
c6a796ee5a639ffb83c6e5469408cc2ec16cac6a
Fixed
bef57c227b52c2bde00fad33556175d36d12cfa0
Fixed
8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4
Fixed
6417070918de3bcdbe0646e7256dae58fd8083ba

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53578.json"