CVE-2023-54155
- Source
- https://cve.org/CVERecord?id=CVE-2023-54155
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54155.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-54155
- Downstream
- Published
- 2025-12-24T13:07:05.385Z
- Modified
- 2025-12-29T05:26:10.654480Z
- Summary
- net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: core: remove unnecessary framesz check in bpfxdpadjusttail()
Syzkaller reported the following issue:
Too BIG xdp->framesz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 __bpfxdpadjusttail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpfxdpadjusttail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace: <TASK> bpfprog4add87e5301a4105+0x1a/0x1c _bpfprogrun include/linux/filter.h:600 [inline] bpfprogrunxdp include/linux/filter.h:775 [inline] bpfprogrungenericxdp+0x57e/0x11e0 net/core/dev.c:4721 netifreceivegenericxdp net/core/dev.c:4807 [inline] doxdpgeneric+0x35c/0x770 net/core/dev.c:4866 tungetuser+0x2340/0x3ca0 drivers/net/tun.c:1919 tunchrwriteiter+0xe8/0x210 drivers/net/tun.c:2043 callwriteiter include/linux/fs.h:1871 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x650/0xe40 fs/readwrite.c:584 ksyswrite+0x12f/0x250 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x38/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd
xdp->framesz > PAGESIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpfxdpadjusttail() to grow packet size"). But Jesper Dangaard Brouer jbrouer@redhat.com noted that after introducing the xdpinitbuff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.framesz, but that is not longer a concern (since xdpinitbuff).
Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tungetuser(), e.g. tunbuildskb() and tunallocskb(). It was also stated by Jesper Dangaard Brouer jbrouer@redhat.com that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page).
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54155.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911
- https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8
- https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f
- https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54155.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-54155
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced43b5169d8355ccf26d726fbc75f083b2429113e4Fixeda09c258cfa77d3ba0a7acc555c73eb6b005c4bd8Fixed20acffcdc2b74fb7dcc4e299f7aca173df89d911Fixedd9252d67ed2f921c230bba449ee051b5c32e4841Fixedd14eea09edf427fa36bd446f4a3271f99164202f