{"id":"CVE-2023-53752","summary":"net: deal with integer overflows in kmalloc_reserve()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: deal with integer overflows in kmalloc_reserve()\n\nBlamed commit changed:\n    ptr = kmalloc(size);\n    if (ptr)\n      size = ksize(ptr);\n\n    size = kmalloc_size_roundup(size);\n    ptr = kmalloc(size);\n\nThis allowed various crash as reported by syzbot [1]\nand Kyle Zeng.\n\nProblem is that if @size is bigger than 0x80000001,\nkmalloc_size_roundup(size) returns 2^32.\n\nkmalloc_reserve() uses a 32bit variable (obj_size),\nso 2^32 is truncated to 0.\n\nkmalloc(0) returns ZERO_SIZE_PTR which is not handled by\nskb allocations.\n\nFollowing trace can be triggered if a netdev-\u003emtu is set\nclose to 0x7fffffff\n\nWe might in the future limit netdev-\u003emtu to more sensible\nlimit (like KMALLOC_MAX_SIZE).\n\nThis patch is based on a syzbot report, and also a report\nand tentative fix from Kyle Zeng.\n\n[1]\nBUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]\nBUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nWrite of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554\n\nCPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nCall trace:\ndump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106\nprint_report+0xe4/0x4b4 mm/kasan/report.c:398\nkasan_report+0x150/0x1ac mm/kasan/report.c:495\nkasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\nmemset+0x40/0x70 mm/kasan/shadow.c:44\n__build_skb_around net/core/skbuff.c:294 [inline]\n__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nalloc_skb include/linux/skbuff.h:1316 [inline]\nigmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359\nadd_grec+0x81c/0x1124 net/ipv4/igmp.c:534\nigmpv3_send_cr net/ipv4/igmp.c:667 [inline]\nigmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810\ncall_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474\nexpire_timers kernel/time/timer.c:1519 [inline]\n__run_timers+0x54c/0x710 kernel/time/timer.c:1790\nrun_timer_softirq+0x28/0x4c kernel/time/timer.c:1803\n_stext+0x380/0xfbc\n____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79\ncall_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891\ndo_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84\ninvoke_softirq kernel/softirq.c:437 [inline]\n__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683\nirq_exit_rcu+0x14/0x78 kernel/softirq.c:695\nel0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717\n__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724\nel0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729\nel0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584","modified":"2026-04-02T09:45:08.596317Z","published":"2025-12-08T01:19:12.407Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53752.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/31cf7853a940181593e4472fc56f46574123f9f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/915d975b2ffa58a14bfcf16fafe00c41315949ff"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf7da02d2b8faf324206e1cbe64a4813ff903cc1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e4ffc47a1c3e5d11a853aa178c9a5136e79412e9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53752.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53752"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0dbc898f5917c5a3bec6be19d9f5469cbc351a7d"},{"fixed":"31cf7853a940181593e4472fc56f46574123f9f6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"12d6c1d3a2ad0c199ec57c201cdc71e8e157a232"},{"fixed":"e4ffc47a1c3e5d11a853aa178c9a5136e79412e9"},{"fixed":"bf7da02d2b8faf324206e1cbe64a4813ff903cc1"},{"fixed":"915d975b2ffa58a14bfcf16fafe00c41315949ff"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53752.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.16"},{"fixed":"6.5.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53752.json"}}],"schema_version":"1.7.5"}