{"id":"CVE-2023-53107","summary":"veth: Fix use after free in XDP_REDIRECT","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Fix use after free in XDP_REDIRECT\n\nCommit 718a18a0c8a6 (\"veth: Rework veth_xdp_rcv_skb in order\nto accept non-linear skb\") introduced a bug where it tried to\nuse pskb_expand_head() if the headroom was less than\nXDP_PACKET_HEADROOM.  This however uses kmalloc to expand the head,\nwhich will later allow consume_skb() to free the skb while is it still\nin use by AF_XDP.\n\nPreviously if the headroom was less than XDP_PACKET_HEADROOM we\ncontinued on to allocate a new skb from pages so this restores that\nbehavior.\n\nBUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0\nRead of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640\n\nCPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G           O       6.1.4-cloudflare-kasan-2023.1.2 #1\nHardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018\nCall Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x34/0x48\n  print_report+0x170/0x473\n  ? __xsk_rcv+0x18d/0x2c0\n  kasan_report+0xad/0x130\n  ? __xsk_rcv+0x18d/0x2c0\n  kasan_check_range+0x149/0x1a0\n  memcpy+0x20/0x60\n  __xsk_rcv+0x18d/0x2c0\n  __xsk_map_redirect+0x1f3/0x490\n  ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n  xdp_do_redirect+0x5ca/0xd60\n  veth_xdp_rcv_skb+0x935/0x1ba0 [veth]\n  ? __netif_receive_skb_list_core+0x671/0x920\n  ? veth_xdp+0x670/0x670 [veth]\n  veth_xdp_rcv+0x304/0xa20 [veth]\n  ? do_xdp_generic+0x150/0x150\n  ? veth_xdp_rcv_one+0xde0/0xde0 [veth]\n  ? _raw_spin_lock_bh+0xe0/0xe0\n  ? newidle_balance+0x887/0xe30\n  ? __perf_event_task_sched_in+0xdb/0x800\n  veth_poll+0x139/0x571 [veth]\n  ? veth_xdp_rcv+0xa20/0xa20 [veth]\n  ? _raw_spin_unlock+0x39/0x70\n  ? finish_task_switch.isra.0+0x17e/0x7d0\n  ? __switch_to+0x5cf/0x1070\n  ? __schedule+0x95b/0x2640\n  ? io_schedule_timeout+0x160/0x160\n  __napi_poll+0xa1/0x440\n  napi_threaded_poll+0x3d1/0x460\n  ? __napi_poll+0x440/0x440\n  ? __kthread_parkme+0xc6/0x1f0\n  ? __napi_poll+0x440/0x440\n  kthread+0x2a2/0x340\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x22/0x30\n  \u003c/TASK\u003e\n\nFreed by task 148640:\n  kasan_save_stack+0x23/0x50\n  kasan_set_track+0x21/0x30\n  kasan_save_free_info+0x2a/0x40\n  ____kasan_slab_free+0x169/0x1d0\n  slab_free_freelist_hook+0xd2/0x190\n  __kmem_cache_free+0x1a1/0x2f0\n  skb_release_data+0x449/0x600\n  consume_skb+0x9f/0x1c0\n  veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n  veth_xdp_rcv+0x304/0xa20 [veth]\n  veth_poll+0x139/0x571 [veth]\n  __napi_poll+0xa1/0x440\n  napi_threaded_poll+0x3d1/0x460\n  kthread+0x2a2/0x340\n  ret_from_fork+0x22/0x30\n\nThe buggy address belongs to the object at ffff888976250000\n  which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 340 bytes inside of\n  2048-byte region [ffff888976250000, ffff888976250800)\n\nThe buggy address belongs to the physical page:\npage:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250\nhead:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)\nraw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00\nraw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n  ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003e ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                  ^\n  ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb","modified":"2026-03-20T12:32:58.297100Z","published":"2025-05-02T15:55:48.206Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53107.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6e755b56896df48b0fae0db275e148f8d8aa7d6f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/717d20710596b5b26595ede454d1105fa176f4a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c10131803e45269ddc6c817f19ed649110f3cae"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53107.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53107"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"718a18a0c8a67f97781e40bdef7cdd055c430996"},{"fixed":"717d20710596b5b26595ede454d1105fa176f4a4"},{"fixed":"6e755b56896df48b0fae0db275e148f8d8aa7d6f"},{"fixed":"7c10131803e45269ddc6c817f19ed649110f3cae"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53107.json"}}],"schema_version":"1.7.5"}