CVE-2023-53659
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-53659
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53659.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53659
- Downstream
- Related
- Published
- 2025-10-07T15:21:19.619Z
- Modified
- 2025-11-30T11:50:21.408992Z
- Summary
- iavf: Fix out-of-bounds when setting channels on remove
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix out-of-bounds when setting channels on remove
If we set channels greater during iavfremove(), and waiting reset done would be timeout, then returned with error but changed numactivequeues directly, that will lead to OOB like the following logs. Because the numactivequeues is greater than tx/rxrings[] allocated actually.
Reproducer:
[root@host ~]# cat repro.sh #!/bin/bash
pfdbsf="0000:41:00.0" vf0dbsf="0000:41:02.0" g_pids=()
function dosetnumvf() { echo 2 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) echo 0 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) }
function dosetchannel() { local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } ifconfig $nic 192.168.18.5 netmask 255.255.255.0 ifconfig $nic up ethtool -L $nic combined 1 ethtool -L $nic combined 4 sleep $((RANDOM%3)) }
function onexit() { local pid for pid in "${gpids[@]}"; do kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null done g_pids=() }
trap "on_exit; exit" EXIT
while :; do dosetnumvf ; done & gpids+=($!) while :; do dosetchannel ; done & gpids+=($!)
wait
Result:
[ 3506.152887] iavf 0000:41:02.0: Removing device [ 3510.400799] ================================================================== [ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 [ 3510.400823] [ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 [ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 [ 3510.400835] Call Trace: [ 3510.400851] dumpstack+0x71/0xab [ 3510.400860] printaddressdescription+0x6b/0x290 [ 3510.400865] ? iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400868] kasanreport+0x14a/0x2b0 [ 3510.400873] iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400880] iavfremove+0x2b6/0xc70 [iavf] [ 3510.400884] ? iavffreeallrxresources+0x160/0x160 [iavf] [ 3510.400891] ? waitwoken+0x1d0/0x1d0 [ 3510.400895] ? notifiercallchain+0xc1/0x130 [ 3510.400903] pcideviceremove+0xa8/0x1f0 [ 3510.400910] devicereleasedriverinternal+0x1c6/0x460 [ 3510.400916] pcistopbusdevice+0x101/0x150 [ 3510.400919] pcistopandremovebusdevice+0xe/0x20 [ 3510.400924] pciiovremovevirtfn+0x187/0x420 [ 3510.400927] ? pciiovaddvirtfn+0xe10/0xe10 [ 3510.400929] ? pcigetsubsys+0x90/0x90 [ 3510.400932] sriovdisable+0xed/0x3e0 [ 3510.400936] ? busfinddevice+0x12d/0x1a0 [ 3510.400953] i40efreevfs+0x754/0x1210 [i40e] [ 3510.400966] ? i40eresetallvfs+0x880/0x880 [i40e] [ 3510.400968] ? pcigetdevice+0x7c/0x90 [ 3510.400970] ? pcigetsubsys+0x90/0x90 [ 3510.400982] ? pcivfsassigned.part.7+0x144/0x210 [ 3510.400987] ? _mutexlockslowpath+0x10/0x10 [ 3510.400996] i40epcisriovconfigure+0x1fa/0x2e0 [i40e] [ 3510.401001] sriovnumvfsstore+0x214/0x290 [ 3510.401005] ? sriovtotalvfsshow+0x30/0x30 [ 3510.401007] ? _mutexlockslowpath+0x10/0x10 [ 3510.401011] ? _checkobjectsize+0x15a/0x350 [ 3510.401018] kernfsfopwrite+0x280/0x3f0 [ 3510.401022] vfswrite+0x145/0x440 [ 3510.401025] ksyswrite+0xab/0x160 [ 3510.401028] ? _ia32sysread+0xb0/0xb0 [ 3510.401031] ? fputmany+0x1a/0x120 [ 3510.401032] ? filpclose+0xf0/0x130 [ 3510.401038] dosyscall64+0xa0/0x370 [ 3510.401041] ? pagefault+0x8/0x30 [ 3510.401043] entrySYSCALL64after_hwframe+0x65/0xca [ 3510.401073] RIP: 0033:0x7f3a9bb842c0 [ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d ---truncated---
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53659.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9
- https://git.kernel.org/stable/c/65ecebc9ac09427b2c65f271cd5e5bd536c3fe38
- https://git.kernel.org/stable/c/6e1d8f1332076a002e6d910d255aa5903d341c56
- https://git.kernel.org/stable/c/7c4bced3caa749ce468b0c5de711c98476b23a52
- https://git.kernel.org/stable/c/b92defe4e8ee86996c16417ad8c804cb4395fddd
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53659.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53659
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1555d83ddbb7204ef60c58aee6ca3bbef2c5e99fFixedb92defe4e8ee86996c16417ad8c804cb4395fddd
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced68d4274034e618b7f190dc9fbfc4f3436a7430f4Fixed0fb37ce6c01e17839e26d03222f0b44e6a3ed2b9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4e5e6b5d9d1334d3490326b6922a2daaf56a867fFixed6e1d8f1332076a002e6d910d255aa5903d341c56Fixed65ecebc9ac09427b2c65f271cd5e5bd536c3fe38Fixed7c4bced3caa749ce468b0c5de711c98476b23a52