CVE-2023-53999 (GCVE-0-2023-53999)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
Title
net/mlx5e: TC, Fix internal port memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It's possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT 'new' state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................ 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA.... backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < bc1918bac0f30e3f551ef5649b53062917db55fa (git)
Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < ac5da544a3c2047cbfd715acd9cec8380d7fe5c6 (git)
Create a notification for this product.
    Linux Linux Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.4.11 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bc1918bac0f30e3f551ef5649b53062917db55fa",
              "status": "affected",
              "version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
              "versionType": "git"
            },
            {
              "lessThan": "ac5da544a3c2047cbfd715acd9cec8380d7fe5c6",
              "status": "affected",
              "version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.11",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It\u0027s possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT \u0027new\u0027 state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n  comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n  hex dump (first 32 bytes):\n    01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00  ................\n    98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff  .wgA.....wgA....\n  backtrace:\n    [\u003c00000000e992680d\u003e] kmalloc_trace+0x27/0x120\n    [\u003c000000009e945a98\u003e] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n    [\u003c0000000035a537f0\u003e] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n    [\u003c0000000070c2cec6\u003e] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n    [\u003c000000005cc84048\u003e] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n    [\u003c000000004f8a2031\u003e] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n    [\u003c000000007df797dc\u003e] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n    [\u003c0000000016c15cc3\u003e] tc_setup_cb_add+0x1cf/0x410\n    [\u003c00000000a63305b4\u003e] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n    [\u003c000000008bc9e77c\u003e] fl_change+0x1fd5/0x4430 [cls_flower]\n    [\u003c00000000e7f766e4\u003e] tc_new_tfilter+0x867/0x2010\n    [\u003c00000000e101c0ef\u003e] rtnetlink_rcv_msg+0x6fc/0x9f0\n    [\u003c00000000e1111d44\u003e] netlink_rcv_skb+0x12c/0x360\n    [\u003c0000000082dd6c8b\u003e] netlink_unicast+0x438/0x710\n    [\u003c00000000fc568f70\u003e] netlink_sendmsg+0x794/0xc50\n    [\u003c0000000016e92590\u003e] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:35.523Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6"
        }
      ],
      "title": "net/mlx5e: TC, Fix internal port memory leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53999",
    "datePublished": "2025-12-24T10:55:35.523Z",
    "dateReserved": "2025-12-24T10:53:46.176Z",
    "dateUpdated": "2025-12-24T10:55:35.523Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53999\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:52.810\",\"lastModified\":\"2025-12-29T15:58:56.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: TC, Fix internal port memory leak\\n\\nThe flow rule can be splited, and the extra post_act rules are added\\nto post_act table. It\u0027s possible to trigger memleak when the rule\\nforwards packets from internal port and over tunnel, in the case that,\\nfor example, CT \u0027new\u0027 state offload is allowed. As int_port object is\\nassigned to the flow attribute of post_act rule, and its refcnt is\\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\\nnot called, the refcnt is never decremented, then int_port is never\\nfreed.\\n\\nThe kmemleak reports the following error:\\nunreferenced object 0xffff888128204b80 (size 64):\\n  comm \\\"handler20\\\", pid 50121, jiffies 4296973009 (age 642.932s)\\n  hex dump (first 32 bytes):\\n    01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00  ................\\n    98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff  .wgA.....wgA....\\n  backtrace:\\n    [\u003c00000000e992680d\u003e] kmalloc_trace+0x27/0x120\\n    [\u003c000000009e945a98\u003e] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\\n    [\u003c0000000035a537f0\u003e] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\\n    [\u003c0000000070c2cec6\u003e] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\\n    [\u003c000000005cc84048\u003e] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\\n    [\u003c000000004f8a2031\u003e] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\\n    [\u003c000000007df797dc\u003e] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\\n    [\u003c0000000016c15cc3\u003e] tc_setup_cb_add+0x1cf/0x410\\n    [\u003c00000000a63305b4\u003e] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\\n    [\u003c000000008bc9e77c\u003e] fl_change+0x1fd5/0x4430 [cls_flower]\\n    [\u003c00000000e7f766e4\u003e] tc_new_tfilter+0x867/0x2010\\n    [\u003c00000000e101c0ef\u003e] rtnetlink_rcv_msg+0x6fc/0x9f0\\n    [\u003c00000000e1111d44\u003e] netlink_rcv_skb+0x12c/0x360\\n    [\u003c0000000082dd6c8b\u003e] netlink_unicast+0x438/0x710\\n    [\u003c00000000fc568f70\u003e] netlink_sendmsg+0x794/0xc50\\n    [\u003c0000000016e92590\u003e] sock_sendmsg+0xc5/0x190\\n\\nSo fix this by moving int_port cleanup code to the flow attribute\\nfree helper, which is used by all the attribute free cases.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.