{ "threat_severity" : "Low", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf, cpumap: Handle skb as well when clean up ptr_ring", "id" : "2402238", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402238" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-843", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, cpumap: Handle skb as well when clean up ptr_ring\nThe following warning was reported when running xdp_redirect_cpu with\nboth skb-mode and stress-mode enabled:\n------------[ cut here ]------------\nIncorrect XDP memory type (-2128176192) usage\nWARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405\nModules linked in:\nCPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nWorkqueue: events __cpu_map_entry_free\nRIP: 0010:__xdp_return+0x1e4/0x4a0\n......\nCall Trace:\n\n? show_regs+0x65/0x70\n? __warn+0xa5/0x240\n? __xdp_return+0x1e4/0x4a0\n......\nxdp_return_frame+0x4d/0x150\n__cpu_map_entry_free+0xf9/0x230\nprocess_one_work+0x6b0/0xb80\nworker_thread+0x96/0x720\nkthread+0x1a5/0x1f0\nret_from_fork+0x3a/0x70\nret_from_fork_asm+0x1b/0x30\n\nThe reason for the warning is twofold. One is due to the kthread\ncpu_map_kthread_run() is stopped prematurely. Another one is\n__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in\nptr_ring as XDP frames.\nPrematurely-stopped kthread will be fixed by the preceding patch and\nptr_ring will be empty when __cpu_map_ring_cleanup() is called. But\nas the comments in __cpu_map_ring_cleanup() said, handling and freeing\nskbs in ptr_ring as well to \"catch any broken behaviour gracefully\".", "An incorrect object type handling flaw was found in the Linux kernel's BPF cpumap implementation in the cleanup path. A local user can trigger this issue by running XDP redirect operations in SKB mode with the cpumap, causing the cleanup code to incorrectly treat socket buffers as XDP frames when freeing ptr_ring contents. This results in memory corruption and kernel warnings, leading to denial of service through system instability or crash." ], "statement" : "The cpumap is used for XDP (eXpress Data Path) packet processing and can operate in either native XDP frame mode or SKB (socket buffer) mode. When operating in SKB mode, the ptr_ring contains skb pointers rather than XDP frame pointers. However, the __cpu_map_ring_cleanup function assumes all entries are XDP frames and attempts to free them using xdp_return_frame, which causes type confusion when it encounters skbs. This triggers warnings about incorrect XDP memory types and can cause crashes. The issue manifests when running xdp_redirect_cpu in skb-mode, particularly under stress conditions that cause the kthread to stop prematurely. Triggering requires local access and the ability to load and run XDP programs, which typically requires elevated privileges.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53660\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53660\nhttps://lore.kernel.org/linux-cve-announce/2025100702-CVE-2023-53660-92d3@gregkh/T" ], "name" : "CVE-2023-53660", "csaw" : false }