{"id":"DEBIAN-CVE-2023-54155","details":"In the Linux kernel, the following vulnerability has been resolved:  net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()  Syzkaller reported the following issue: ======================================= Too BIG xdp-\u003eframe_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121   ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121   bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace:  \u003cTASK\u003e  bpf_prog_4add87e5301a4105+0x1a/0x1c  __bpf_prog_run include/linux/filter.h:600 [inline]  bpf_prog_run_xdp include/linux/filter.h:775 [inline]  bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721  netif_receive_generic_xdp net/core/dev.c:4807 [inline]  do_xdp_generic+0x35c/0x770 net/core/dev.c:4866  tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919  tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043  call_write_iter include/linux/fs.h:1871 [inline]  new_sync_write fs/read_write.c:491 [inline]  vfs_write+0x650/0xe40 fs/read_write.c:584  ksys_write+0x12f/0x250 fs/read_write.c:637  do_syscall_x64 arch/x86/entry/common.c:50 [inline]  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80  entry_SYSCALL_64_after_hwframe+0x63/0xcd  xdp-\u003eframe_sz \u003e PAGE_SIZE check was introduced in commit c8741e2bfe87 (\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\"). But Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff).  Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page).","modified":"2026-04-28T20:27:15.154493Z","published":"2025-12-24T13:16:17.510Z","upstream":["CVE-2023-54155"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2023-54155"}],"affected":[{"package":{"name":"linux","ecosystem":"Debian:12","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.52-1"}]}],"versions":["6.1.27-1","6.1.37-1","6.1.38-1","6.1.38-2","6.1.38-2~bpo11+1","6.1.38-3","6.1.38-4","6.1.38-4~bpo11+1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-54155.json"}},{"package":{"name":"linux","ecosystem":"Debian:13","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.11-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-54155.json"}},{"package":{"name":"linux","ecosystem":"Debian:14","purl":"pkg:deb/debian/linux?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.11-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-54155.json"}}],"schema_version":"1.7.5"}