CVE-2023-53778
Description
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Clean up integer overflow checking in map_user_pages()
The encode_dma() function has some validation on in_trans->size but it would be more clear to move those checks to find_and_map_user_pages().
The encode_dma() had two checks:
if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) return -EINVAL;
The in_trans->addr variable is the starting address. The in_trans->size variable is the total size of the transfer. The transfer can occur in parts and the resources->xferred_dma_size tracks how many bytes we have already transferred.
This patch introduces a new variable "remaining" which represents the amount we want to transfer (in_trans->size) minus the amount we have already transferred (resources->xferred_dma_size).
I have modified the check for if in_trans->size is zero to instead check if in_trans->size is less than resources->xferred_dma_size. If we have already transferred more bytes than in_trans->size then there are negative bytes remaining which doesn't make sense. If there are zero bytes remaining to be copied, just return success.
The check in encode_dma() checked that "addr + size" could not overflow and barring a driver bug that should work, but it's easier to check if we do this in parts. First check that "in_trans->addr + resources->xferred_dma_size" is safe. Then check that "xfer_start_addr + remaining" is safe.
My final concern was that we are dealing with u64 values but on 32bit systems the kmalloc() function will truncate the sizes to 32 bits. So I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);" and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit systems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A potential integer overflow in Linux kernel's QAIC accelerator driver was fixed by moving bounds checks and ensuring size fits within kmalloc's capacity.
Vulnerability
CVE-2023-53778 is a potential integer overflow vulnerability in the Linux kernel's accel/qaic driver, specifically within the map_user_pages() function. The issue arises in the encode_dma() function, which validates transfer size (in_trans->size) but the checks were not comprehensive enough to prevent overflow when calculating memory allocations. The root cause is that on 32-bit systems, kmalloc() truncates u64 sizes to 32 bits, which could lead to a smaller buffer being allocated than expected [1].
Exploitation
The vulnerability can be triggered when a user-space process submits a DMA transfer with a large in_trans->size that, after adding the offset within the page, exceeds SIZE_MAX. The original code did not verify that total = in_trans->size + offset_in_page(xfer_start_addr) would fit in a size_t, allowing a potential integer truncation when passed to kmalloc(). The fix introduces a check that returns -EINVAL if total >= SIZE_MAX [1].
Impact
An attacker with local access and the ability to interact with the QAIC accelerator device could exploit this to cause a kernel memory allocation of insufficient size. This may lead to a kernel heap overflow, potentially resulting in denial-of-service (system crash) or, in some cases, arbitrary code execution in the kernel context [1].
Mitigation
The vulnerability was fixed in the Linux kernel commit 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c. Users should apply the patch or update their kernel to a version containing the fix. There are no known workarounds; updating is the recommended action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2d410a96e5cb896d3c1cadedbVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.