CVE-2023-53661

/* CVE-2023-53661 - Linux Kernel bnxt Integer Overflow PoC * This PoC demonstrates the integer overflow vulnerability in * bnxt_get_nvram_directory() function. * * Note: This vulnerability requires local access with low privileges * and interaction with the bnxt network driver. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> /* Simulate the vulnerable code pattern */ #define BNXT_DIR_ENTRIES_PER_PAGE 128 #define BNXT_MAX_NVRAM_SIZE 0xFFFFFFFF /* Vulnerable function - mimics bnxt_get_nvram_directory() */ static int bnxt_get_nvram_directory_vulnerable(unsigned int dir_size, unsigned int entry_size, unsigned int *num_entries) { /* Integer overflow occurs here when dir_size * entry_size overflows */ unsigned int total_size = dir_size * entry_size; if (total_size > BNXT_MAX_NVRAM_SIZE) { return -EINVAL; } *num_entries = total_size / entry_size; return 0; } /* Fixed function using safe multiplication */ static int bnxt_get_nvram_directory_fixed(unsigned int dir_size, unsigned int entry_size, unsigned int *num_entries) { unsigned int total_size; /* Use safe multiplication macro to check for overflow */ if (__builtin_mul_overflow(dir_size, entry_size, &total_size)) { return -EOVERFLOW; } if (total_size > BNXT_MAX_NVRAM_SIZE) { return -EINVAL; } *num_entries = total_size / entry_size; return 0; } int main(int argc, char *argv[]) { unsigned int dir_size = 0x10000; unsigned int entry_size = 0x10000; unsigned int num_entries = 0; int ret; printf("[*] CVE-2023-53661 PoC - bnxt Integer Overflow\n"); printf("[*] Testing vulnerable function with dir_size=0x%x, entry_size=0x%x\n", dir_size, entry_size); /* Trigger the overflow: 0x10000 * 0x10000 = 0x100000000 (overflows to 0 for 32-bit) */ ret = bnxt_get_nvram_directory_vulnerable(dir_size, entry_size, &num_entries); printf("[*] Vulnerable result: ret=%d, num_entries=%u\n", ret, num_entries); /* Test the fixed version */ ret = bnxt_get_nvram_directory_fixed(dir_size, entry_size, &num_entries); printf("[*] Fixed result: ret=%d, num_entries=%u\n", ret, num_entries); printf("[*] In real scenario, this would trigger kernel panic via ioctl to bnxt driver\n"); printf("[*] Example: ioctl(fd, BNXT_GET_NVRAM_DIR, &dir_params)\n"); return 0; }

{"cve": {"id": "CVE-2023-53661", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:49.810", "lastModified": "2026-02-26T23:12:46.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: avoid overflow in bnxt_get_nvram_directory()\n\nThe value of an arithmetic expression is subject\nof possible overflow due to a failure to cast operands to a larger data\ntype before performing arithmetic. Used macro for multiplication instead\noperator for avoiding overflow.\n\nFound by Security Code and Linux Verification\nCenter (linuxtesting.org) with SVACE."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4", "versionEndExcluding": "5.15.113", "matchCriteriaId": "AFD9072E-62C5-4362-B1C7-703543C88B7B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.30", "matchCriteriaId": "E9430E62-03EA-42E6-9E5E-BD1D5124D107"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.4", "matchCriteriaId": "26C54BF0-3EED-46D4-92A7-5F07F658B49B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/17e0453a7523ad7a25bb47af941b150a6c66d7b6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7c6dddc239abe660598c49ec95ea0ed6399a4b2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d5eaf2a6b077f32a477feb1e9e1c1f60605b460e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/efb1a257513438d43f4335f09b2f684e8167cad2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}