{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54251", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-30T12:06:44.514Z", "datePublished": "2025-12-30T12:15:48.145Z", "dateUpdated": "2025-12-30T12:15:48.145Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-30T12:15:48.145Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\n\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched->cycle_time is the divisor.\n\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\n\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\n\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\n\nWe use s64 for cycle_time to cast it to ktime_t, so let's keep it and\nset max for cycle_time.\n\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\n\nAlso, we add a new tdc test case for this issue.\n\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n <TASK>\n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n __dev_xmit_skb net/core/dev.c:3821 [inline]\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\n neigh_output include/net/neighbour.h:544 [inline]\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\n dst_output include/net/dst.h:458 [inline]\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n </TASK>\nModules linked in:"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c", "tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"], "versions": [{"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2", "lessThan": "f04f6d9b3b060f7e11219a65a76da65f1489e391", "status": "affected", "versionType": "git"}, {"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2", "lessThan": "0b45af982a4df0b14fb8669ee2a871cfdfa6a39c", "status": "affected", "versionType": "git"}, {"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2", "lessThan": "57b3fe08ae06ef11af007b4a182629b12a961e30", "status": "affected", "versionType": "git"}, {"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2", "lessThan": "e739718444f7bf2fa3d70d101761ad83056ca628", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_taprio.c", "tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"], "versions": [{"version": "5.3", "status": "affected"}, {"version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.126", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.45", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.10", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.15.126"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.1.45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.4.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "6.5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391"}, {"url": "https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c"}, {"url": "https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30"}, {"url": "https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628"}], "title": "net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\n\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched->cycle_time is the divisor.\n\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\n\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\n\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\n\nWe use s64 for cycle_time to cast it to ktime_t, so let's keep it and\nset max for cycle_time.\n\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\n\nAlso, we add a new tdc test case for this issue.\n\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n <TASK>\n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n __dev_xmit_skb net/core/dev.c:3821 [inline]\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\n neigh_output include/net/neighbour.h:544 [inline]\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\n dst_output include/net/dst.h:458 [inline]\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n </TASK>\nModules linked in:"}], "id": "CVE-2023-54251", "lastModified": "2025-12-31T20:42:43.210", "metrics": {}, "published": "2025-12-30T13:16:13.763", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX", "id": "2426020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426020"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched->cycle_time is the divisor.\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n@TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\nWe use s64 for cycle_time to cast it to ktime_t, so let's keep it and\nset max for cycle_time.\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\nAlso, we add a new tdc test case for this issue.\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n<TASK>\nget_packet_txtime net/sched/sch_taprio.c:508 [inline]\ntaprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\ntaprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\ndev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n__dev_xmit_skb net/core/dev.c:3821 [inline]\n__dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\ndev_queue_xmit include/linux/netdevice.h:3088 [inline]\nneigh_resolve_output net/core/neighbour.c:1552 [inline]\nneigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\nneigh_output include/net/neighbour.h:544 [inline]\nip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n__ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\nip6_finish_output net/ipv6/ip6_output.c:207 [inline]\nNF_HOOK_COND include/linux/netfilter.h:292 [inline]\nip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\ndst_output include/net/dst.h:458 [inline]\nNF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\nndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\nndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\naddrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\nprocess_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\nworker_thread+0x60f/0x1240 kernel/workqueue.c:2748\nkthread+0x2fe/0x3f0 kernel/kthread.c:389\nret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n</TASK>\nModules linked in:"], "name": "CVE-2023-54251", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-54251\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54251\nhttps://lore.kernel.org/linux-cve-announce/2025123054-CVE-2023-54251-2a3b@gregkh/T"], "threat_severity": "Moderate"}

{}