We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-53133

bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser()



Description

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() When the buffer length of the recvmsg system call is 0, we got the flollowing soft lockup problem: watchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149] CPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:remove_wait_queue+0xb/0xc0 Code: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20 RSP: 0018:ffff88811b5978b8 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768 RDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040 RBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7 R10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800 R13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0 FS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_msg_wait_data+0x279/0x2f0 tcp_bpf_recvmsg_parser+0x3c6/0x490 inet_recvmsg+0x280/0x290 sock_recvmsg+0xfc/0x120 ____sys_recvmsg+0x160/0x3d0 ___sys_recvmsg+0xf0/0x180 __sys_recvmsg+0xea/0x1a0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc The logic in tcp_bpf_recvmsg_parser is as follows: msg_bytes_ready: copied = sk_msg_recvmsg(sk, psock, msg, len, flags); if (!copied) { wait data; goto msg_bytes_ready; } In this case, "copied" always is 0, the infinite loop occurs. According to the Linux system call man page, 0 should be returned in this case. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly return. Also modify several other functions with the same problem.

Reserved 2025-05-02 | Published 2025-05-02 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

604326b41a6fb9b4a78b6179335decee0365cd8c before 4a476285f6d2921c3c9faa494eab83b78f78fc55
affected

604326b41a6fb9b4a78b6179335decee0365cd8c before f45cf3ae3068e70e2c7f3e24a7f8e8aa99511f03
affected

604326b41a6fb9b4a78b6179335decee0365cd8c before bf0579989de64d36e177c0611c685dc4a91457a7
affected

604326b41a6fb9b4a78b6179335decee0365cd8c before d900f3d20cc3169ce42ec72acc850e662a4d4db2
affected

Default status
affected

4.20
affected

Any version before 4.20
unaffected

5.15.103
unaffected

6.1.20
unaffected

6.2.7
unaffected

6.3
unaffected

References

git.kernel.org/...c/4a476285f6d2921c3c9faa494eab83b78f78fc55

git.kernel.org/...c/f45cf3ae3068e70e2c7f3e24a7f8e8aa99511f03

git.kernel.org/...c/bf0579989de64d36e177c0611c685dc4a91457a7

git.kernel.org/...c/d900f3d20cc3169ce42ec72acc850e662a4d4db2

cve.org (CVE-2023-53133)

nvd.nist.gov (CVE-2023-53133)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-53133

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.