CVE-2023-54251 (GCVE-0-2023-54251)
Vulnerability from cvelistv5
Published
2025-12-30 12:15
Modified
2025-12-30 12:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
syzkaller found zero division error [0] in div_s64_rem() called from
get_cycle_time_elapsed(), where sched->cycle_time is the divisor.
We have tests in parse_taprio_schedule() so that cycle_time will never
be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().
The problem is that the types of divisor are different; cycle_time is
s64, but the argument of div_s64_rem() is s32.
syzkaller fed this input and 0x100000000 is cast to s32 to be 0.
@TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}
We use s64 for cycle_time to cast it to ktime_t, so let's keep it and
set max for cycle_time.
While at it, we prevent overflow in setup_txtime() and add another
test in parse_taprio_schedule() to check if cycle_time overflows.
Also, we add a new tdc test case for this issue.
[0]:
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]
RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]
RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344
Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10
RSP: 0018:ffffc90000acf260 EFLAGS: 00010206
RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000
RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934
R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800
R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
<TASK>
get_packet_txtime net/sched/sch_taprio.c:508 [inline]
taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577
taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658
dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732
__dev_xmit_skb net/core/dev.c:3821 [inline]
__dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169
dev_queue_xmit include/linux/netdevice.h:3088 [inline]
neigh_resolve_output net/core/neighbour.c:1552 [inline]
neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532
neigh_output include/net/neighbour.h:544 [inline]
ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135
__ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196
ip6_finish_output net/ipv6/ip6_output.c:207 [inline]
NF_HOOK_COND include/linux/netfilter.h:292 [inline]
ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228
dst_output include/net/dst.h:458 [inline]
NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303
ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508
ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666
addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175
process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597
worker_thread+0x60f/0x1240 kernel/workqueue.c:2748
kthread+0x2fe/0x3f0 kernel/kthread.c:389
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f04f6d9b3b060f7e11219a65a76da65f1489e391",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "0b45af982a4df0b14fb8669ee2a871cfdfa6a39c",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "57b3fe08ae06ef11af007b4a182629b12a961e30",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "e739718444f7bf2fa3d70d101761ad83056ca628",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\n\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched-\u003ecycle_time is the divisor.\n\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\n\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\n\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\n\nWe use s64 for cycle_time to cast it to ktime_t, so let\u0027s keep it and\nset max for cycle_time.\n\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\n\nAlso, we add a new tdc test case for this issue.\n\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 \u003c48\u003e f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n __dev_xmit_skb net/core/dev.c:3821 [inline]\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\n neigh_output include/net/neighbour.h:544 [inline]\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\n dst_output include/net/dst.h:458 [inline]\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:48.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391"
},
{
"url": "https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c"
},
{
"url": "https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30"
},
{
"url": "https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628"
}
],
"title": "net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54251",
"datePublished": "2025-12-30T12:15:48.145Z",
"dateReserved": "2025-12-30T12:06:44.514Z",
"dateUpdated": "2025-12-30T12:15:48.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54251\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:13.763\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\\n\\nsyzkaller found zero division error [0] in div_s64_rem() called from\\nget_cycle_time_elapsed(), where sched-\u003ecycle_time is the divisor.\\n\\nWe have tests in parse_taprio_schedule() so that cycle_time will never\\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\\n\\nThe problem is that the types of divisor are different; cycle_time is\\ns64, but the argument of div_s64_rem() is s32.\\n\\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\\n\\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\\n\\nWe use s64 for cycle_time to cast it to ktime_t, so let\u0027s keep it and\\nset max for cycle_time.\\n\\nWhile at it, we prevent overflow in setup_txtime() and add another\\ntest in parse_taprio_schedule() to check if cycle_time overflows.\\n\\nAlso, we add a new tdc test case for this issue.\\n\\n[0]:\\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\\nWorkqueue: ipv6_addrconf addrconf_dad_work\\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 \u003c48\u003e f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\\n __dev_xmit_skb net/core/dev.c:3821 [inline]\\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\\n neigh_output include/net/neighbour.h:544 [inline]\\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\\n dst_output include/net/dst.h:458 [inline]\\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\\n \u003c/TASK\u003e\\nModules linked in:\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…