CVE-2023-54155 (GCVE-0-2023-54155)
Vulnerability from cvelistv5
Published
2025-12-24 13:07
Modified
2025-12-24 13:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace: <TASK> bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff). Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page).
References
Impacted products
Vendor Product Version
Linux Linux Version: 43b5169d8355ccf26d726fbc75f083b2429113e4
Version: 43b5169d8355ccf26d726fbc75f083b2429113e4
Version: 43b5169d8355ccf26d726fbc75f083b2429113e4
Version: 43b5169d8355ccf26d726fbc75f083b2429113e4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8",
              "status": "affected",
              "version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
              "versionType": "git"
            },
            {
              "lessThan": "20acffcdc2b74fb7dcc4e299f7aca173df89d911",
              "status": "affected",
              "version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
              "versionType": "git"
            },
            {
              "lessThan": "d9252d67ed2f921c230bba449ee051b5c32e4841",
              "status": "affected",
              "version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
              "versionType": "git"
            },
            {
              "lessThan": "d14eea09edf427fa36bd446f4a3271f99164202f",
              "status": "affected",
              "version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.127",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.46",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.11",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()\n\nSyzkaller reported the following issue:\n=======================================\nToo BIG xdp-\u003eframe_sz = 131072\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n  ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n  bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103\n...\nCall Trace:\n \u003cTASK\u003e\n bpf_prog_4add87e5301a4105+0x1a/0x1c\n __bpf_prog_run include/linux/filter.h:600 [inline]\n bpf_prog_run_xdp include/linux/filter.h:775 [inline]\n bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721\n netif_receive_generic_xdp net/core/dev.c:4807 [inline]\n do_xdp_generic+0x35c/0x770 net/core/dev.c:4866\n tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919\n tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043\n call_write_iter include/linux/fs.h:1871 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x650/0xe40 fs/read_write.c:584\n ksys_write+0x12f/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nxdp-\u003eframe_sz \u003e PAGE_SIZE check was introduced in commit c8741e2bfe87\n(\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\"). But Jesper\nDangaard Brouer \u003cjbrouer@redhat.com\u003e noted that after introducing the\nxdp_init_buff() which all XDP driver use - it\u0027s safe to remove this\ncheck. The original intend was to catch cases where XDP drivers have\nnot been updated to use xdp.frame_sz, but that is not longer a concern\n(since xdp_init_buff).\n\nRunning the initial syzkaller repro it was discovered that the\ncontiguous physical memory allocation is used for both xdp paths in\ntun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also\nstated by Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e that XDP can\nwork on higher order pages, as long as this is contiguous physical\nmemory (e.g. a page)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:07:05.385Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841"
        },
        {
          "url": "https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f"
        }
      ],
      "title": "net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54155",
    "datePublished": "2025-12-24T13:07:05.385Z",
    "dateReserved": "2025-12-24T13:02:52.530Z",
    "dateUpdated": "2025-12-24T13:07:05.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54155\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:17.510\",\"lastModified\":\"2025-12-24T13:16:17.510\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()\\n\\nSyzkaller reported the following issue:\\n=======================================\\nToo BIG xdp-\u003eframe_sz = 131072\\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\\n  ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]\\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\\n  bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103\\n...\\nCall Trace:\\n \u003cTASK\u003e\\n bpf_prog_4add87e5301a4105+0x1a/0x1c\\n __bpf_prog_run include/linux/filter.h:600 [inline]\\n bpf_prog_run_xdp include/linux/filter.h:775 [inline]\\n bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721\\n netif_receive_generic_xdp net/core/dev.c:4807 [inline]\\n do_xdp_generic+0x35c/0x770 net/core/dev.c:4866\\n tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919\\n tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043\\n call_write_iter include/linux/fs.h:1871 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x650/0xe40 fs/read_write.c:584\\n ksys_write+0x12f/0x250 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nxdp-\u003eframe_sz \u003e PAGE_SIZE check was introduced in commit c8741e2bfe87\\n(\\\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\\\"). But Jesper\\nDangaard Brouer \u003cjbrouer@redhat.com\u003e noted that after introducing the\\nxdp_init_buff() which all XDP driver use - it\u0027s safe to remove this\\ncheck. The original intend was to catch cases where XDP drivers have\\nnot been updated to use xdp.frame_sz, but that is not longer a concern\\n(since xdp_init_buff).\\n\\nRunning the initial syzkaller repro it was discovered that the\\ncontiguous physical memory allocation is used for both xdp paths in\\ntun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also\\nstated by Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e that XDP can\\nwork on higher order pages, as long as this is contiguous physical\\nmemory (e.g. a page).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.