CVE-2023-54223 (GCVE-0-2023-54223)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
Title
net/mlx5e: xsk: Fix invalid buffer access for legacy rq
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix invalid buffer access for legacy rq The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side. XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag. Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: ... RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: cbb5379362513cbff450df0457dc370da7244bec , < 58a113a35846d9a5bd759beb332e551e28451f09 (git)
Affected: 7abd955a58fb0fcd4e756fa2065c03ae488fcfa7 , < e0f52298fee449fec37e3e3c32df60008b509b16 (git)
Create a notification for this product.
    Linux Linux Affected: 6.4.5 , < 6.4.10 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/xsk/rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "58a113a35846d9a5bd759beb332e551e28451f09",
              "status": "affected",
              "version": "cbb5379362513cbff450df0457dc370da7244bec",
              "versionType": "git"
            },
            {
              "lessThan": "e0f52298fee449fec37e3e3c32df60008b509b16",
              "status": "affected",
              "version": "7abd955a58fb0fcd4e756fa2065c03ae488fcfa7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/xsk/rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.4.10",
              "status": "affected",
              "version": "6.4.5",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.10",
                  "versionStartIncluding": "6.4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: xsk: Fix invalid buffer access for legacy rq\n\nThe below crash can be encountered when using xdpsock in rx mode for\nlegacy rq: the buffer gets released in the XDP_REDIRECT path, and then\nonce again in the driver. This fix sets the flag to avoid releasing on\nthe driver side.\n\nXSK handling of buffers for legacy rq was relying on the caller to set\nthe skip release flag. But the referenced fix started using fragment\ncounts for pages instead of the skip flag.\n\nCrash log:\n general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP\n CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28\n Code:  ...\n RSP: 0018:ffff88810082fc98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc\n RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901\n RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006\n R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000\n R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00\n FS:  0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  \u003cTASK\u003e\n  ? die_addr+0x32/0x80\n  ? exc_general_protection+0x192/0x390\n  ? asm_exc_general_protection+0x22/0x30\n  ? 0xffffffffa000b514\n  ? bpf_prog_03b13f331978c78c+0xf/0x28\n  mlx5e_xdp_handle+0x48/0x670 [mlx5_core]\n  ? dev_gro_receive+0x3b5/0x6e0\n  mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core]\n  mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core]\n  mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]\n  mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core]\n  __napi_poll+0x25/0x1a0\n  net_rx_action+0x28a/0x300\n  __do_softirq+0xcd/0x279\n  ? sort_range+0x20/0x20\n  run_ksoftirqd+0x1a/0x20\n  smpboot_thread_fn+0xa2/0x130\n  kthread+0xc9/0xf0\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x1f/0x30\n  \u003c/TASK\u003e\n Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:11:17.389Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/58a113a35846d9a5bd759beb332e551e28451f09"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0f52298fee449fec37e3e3c32df60008b509b16"
        }
      ],
      "title": "net/mlx5e: xsk: Fix invalid buffer access for legacy rq",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54223",
    "datePublished": "2025-12-30T12:11:17.389Z",
    "dateReserved": "2025-12-30T12:06:44.501Z",
    "dateUpdated": "2025-12-30T12:11:17.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.