CVE-2023-53439
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/09/2025
Last modified:
19/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: skb_partial_csum_set() fix against transport header magic value<br />
<br />
skb->transport_header uses the special 0xFFFF value<br />
to mark if the transport header was set or not.<br />
<br />
We must prevent callers to accidentaly set skb->transport_header<br />
to 0xFFFF. Note that only fuzzers can possibly do this today.<br />
<br />
syzbot reported:<br />
<br />
WARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 skb_transport_offset include/linux/skbuff.h:2956 [inline]<br />
WARNING: CPU: 0 PID: 2340 at include/linux/skbuff.h:2847 virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103<br />
Modules linked in:<br />
CPU: 0 PID: 2340 Comm: syz-executor.0 Not tainted 6.3.0-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023<br />
RIP: 0010:skb_transport_header include/linux/skbuff.h:2847 [inline]<br />
RIP: 0010:skb_transport_offset include/linux/skbuff.h:2956 [inline]<br />
RIP: 0010:virtio_net_hdr_to_skb+0xbcc/0x10c0 include/linux/virtio_net.h:103<br />
Code: 41 39 df 0f 82 c3 04 00 00 48 8b 7c 24 10 44 89 e6 e8 08 6e 59 ff 48 85 c0 74 54 e8 ce 36 7e fc e9 37 f8 ff ff e8 c4 36 7e fc 0b e9 93 f8 ff ff 44 89 f7 44 89 e6 e8 32 38 7e fc 45 39 e6 0f<br />
RSP: 0018:ffffc90004497880 EFLAGS: 00010293<br />
RAX: ffffffff84fea55c RBX: 000000000000ffff RCX: ffff888120be2100<br />
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff<br />
RBP: ffffc90004497990 R08: ffffffff84fe9de5 R09: 0000000000000034<br />
R10: ffffea00048ebd80 R11: 0000000000000034 R12: ffff88811dc2d9c8<br />
R13: dffffc0000000000 R14: ffff88811dc2d9ae R15: 1ffff11023b85b35<br />
FS: 00007f9211a59700(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00000000200002c0 CR3: 00000001215a5000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
packet_snd net/packet/af_packet.c:3076 [inline]<br />
packet_sendmsg+0x4590/0x61a0 net/packet/af_packet.c:3115<br />
sock_sendmsg_nosec net/socket.c:724 [inline]<br />
sock_sendmsg net/socket.c:747 [inline]<br />
__sys_sendto+0x472/0x630 net/socket.c:2144<br />
__do_sys_sendto net/socket.c:2156 [inline]<br />
__se_sys_sendto net/socket.c:2152 [inline]<br />
__x64_sys_sendto+0xe5/0x100 net/socket.c:2152<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
RIP: 0033:0x7f9210c8c169<br />
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007f9211a59168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br />
RAX: ffffffffffffffda RBX: 00007f9210dabf80 RCX: 00007f9210c8c169<br />
RDX: 000000000000ffed RSI: 00000000200000c0 RDI: 0000000000000003<br />
RBP: 00007f9210ce7ca1 R08: 0000000020000540 R09: 0000000000000014<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br />
R13: 00007ffe135d65cf R14: 00007f9211a59300 R15: 0000000000022000