{"id":"CVE-2023-53667","summary":"net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_ncm: Deal with too low values of dwNtbOutMaxSize\n\nCurrently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than\nthe calculated \"min\" value, but greater than zero, the logic sets\ntx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in\ncdc_ncm_fill_tx_frame() where all the data is handled.\n\nFor small values of dwNtbOutMaxSize the memory allocated during\nalloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to\nhow size is aligned at alloc time:\n\tsize = SKB_DATA_ALIGN(size);\n        size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));\nThus we hit the same bug that we tried to squash with\ncommit 2be6d4d16a084 (\"net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero\")\n\nLow values of dwNtbOutMaxSize do not cause an issue presently because at\nalloc_skb() time more memory (512b) is allocated than required for the\nSKB headers alone (320b), leaving some space (512b - 320b = 192b)\nfor CDC data (172b).\n\nHowever, if more elements (for example 3 x u64 = [24b]) were added to\none of the SKB header structs, say 'struct skb_shared_info',\nincreasing its original size (320b [320b aligned]) to something larger\n(344b [384b aligned]), then suddenly the CDC data (172b) no longer\nfits in the spare SKB data area (512b - 384b = 128b).\n\nConsequently the SKB bounds checking semantics fails and panics:\n\nskbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:\u003cNULL\u003e\n------------[ cut here ]------------\nkernel BUG at net/core/skbuff.c:113!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nWorkqueue: mld mld_ifc_work\nRIP: 0010:skb_panic net/core/skbuff.c:113 [inline]\nRIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118\n[snip]\nCall Trace:\n \u003cTASK\u003e\n skb_put+0x151/0x210 net/core/skbuff.c:2047\n skb_put_zero include/linux/skbuff.h:2422 [inline]\n cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]\n cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308\n cdc_ncm_tx_fixup+0xa3/0x100\n\nDeal with too low values of dwNtbOutMaxSize, clamp it in the range\n[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure\nenough data space is allocated to handle CDC data by making sure\ndwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.","modified":"2026-04-02T09:44:48.830575Z","published":"2025-10-07T15:21:25.185Z","related":["SUSE-SU-2025:4111-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4189-1","SUSE-SU-2025:4320-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53667.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42b78c8cc774b47023d6d16d96d54cc7015e4a07"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6147745d43ff4e0d2c542e5b93e398ef0ee4db00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/72d0240b0ee4794efc683975c213e4b384fea733"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e01c7f7046efc2c7c192c3619db43292b98e997"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9be921854e983a81a0aeeae5febcd87093086e46"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf415bfe7573596ac213b4fd1da9e62cfc9a9413"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff484163dfb61b58f23e4dbd007de1094427669c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53667.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53667"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"289507d3364f96f4b8814726917d572f71350d87"},{"fixed":"2334ff0b343ba6ba7a6c0586fcc83992bbbc1776"},{"fixed":"bf415bfe7573596ac213b4fd1da9e62cfc9a9413"},{"fixed":"ff484163dfb61b58f23e4dbd007de1094427669c"},{"fixed":"42b78c8cc774b47023d6d16d96d54cc7015e4a07"},{"fixed":"9be921854e983a81a0aeeae5febcd87093086e46"},{"fixed":"6147745d43ff4e0d2c542e5b93e398ef0ee4db00"},{"fixed":"72d0240b0ee4794efc683975c213e4b384fea733"},{"fixed":"7e01c7f7046efc2c7c192c3619db43292b98e997"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53667.json"}}],"schema_version":"1.7.5"}