{"id":"CVE-2023-54155","summary":"net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()\n\nSyzkaller reported the following issue:\n=======================================\nToo BIG xdp-\u003eframe_sz = 131072\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n  ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n  bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103\n...\nCall Trace:\n \u003cTASK\u003e\n bpf_prog_4add87e5301a4105+0x1a/0x1c\n __bpf_prog_run include/linux/filter.h:600 [inline]\n bpf_prog_run_xdp include/linux/filter.h:775 [inline]\n bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721\n netif_receive_generic_xdp net/core/dev.c:4807 [inline]\n do_xdp_generic+0x35c/0x770 net/core/dev.c:4866\n tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919\n tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043\n call_write_iter include/linux/fs.h:1871 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x650/0xe40 fs/read_write.c:584\n ksys_write+0x12f/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nxdp-\u003eframe_sz \u003e PAGE_SIZE check was introduced in commit c8741e2bfe87\n(\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\"). But Jesper\nDangaard Brouer \u003cjbrouer@redhat.com\u003e noted that after introducing the\nxdp_init_buff() which all XDP driver use - it's safe to remove this\ncheck. The original intend was to catch cases where XDP drivers have\nnot been updated to use xdp.frame_sz, but that is not longer a concern\n(since xdp_init_buff).\n\nRunning the initial syzkaller repro it was discovered that the\ncontiguous physical memory allocation is used for both xdp paths in\ntun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also\nstated by Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e that XDP can\nwork on higher order pages, as long as this is contiguous physical\nmemory (e.g. a page).","modified":"2026-04-02T09:45:38.413747Z","published":"2025-12-24T13:07:05.385Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54155.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54155.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54155"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"43b5169d8355ccf26d726fbc75f083b2429113e4"},{"fixed":"a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8"},{"fixed":"20acffcdc2b74fb7dcc4e299f7aca173df89d911"},{"fixed":"d9252d67ed2f921c230bba449ee051b5c32e4841"},{"fixed":"d14eea09edf427fa36bd446f4a3271f99164202f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54155.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.12.0"},{"fixed":"5.15.127"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.46"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54155.json"}}],"schema_version":"1.7.5"}