CVE-2023-53599 (GCVE-0-2023-53599)
Vulnerability from cvelistv5
Published
2025-10-04 15:44
Modified
2025-10-04 15:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390
Fix af_alg_alloc_areq() to initialise areq->first_rsgl.sgl.sgt.sgl to point
to the scatterlist array in areq->first_rsgl.sgl.sgl.
Without this, the gcm-aes-s390 driver will oops when it tries to do
gcm_walk_start() on req->dst because req->dst is set to the value of
areq->first_rsgl.sgl.sgl by _aead_recvmsg() calling
aead_request_set_crypt().
The problem comes if an empty ciphertext is passed: the loop in
af_alg_get_rsgl() just passes straight out and doesn't set areq->first_rsgl
up.
This isn't a problem on x86_64 using gcmaes_crypt_by_sg() because, as far
as I can tell, that ignores req->dst and only uses req->src[*].
[*] Is this a bug in aesni-intel_glue.c?
The s390x oops looks something like:
Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 0000000a00000000 TEID: 0000000a00000803
Fault in home space mode while using kernel ASCE.
AS:00000000a43a0007 R3:0000000000000024
Oops: 003b ilc:2 [#1] SMP
...
Call Trace:
[<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390]
[<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8
[<00000000a2a60888>] aead_recvmsg+0x478/0x698
[<00000000a2e519a0>] sock_recvmsg+0x70/0xb0
[<00000000a2e51a56>] sock_read_iter+0x76/0xa0
[<00000000a273e066>] vfs_read+0x26e/0x2a8
[<00000000a273e8c4>] ksys_read+0xbc/0x100
[<00000000a311d808>] __do_syscall+0x1d0/0x1f8
[<00000000a312ff30>] system_call+0x70/0x98
Last Breaking-Event-Address:
[<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c9d205040d7c0eaccc473917f9b0bb0a923e440",
"status": "affected",
"version": "c1abe6f570aff4b6d396dc551e60570d2f50bd79",
"versionType": "git"
},
{
"lessThan": "6a4b8aa0a916b39a39175584c07222434fa6c6ef",
"status": "affected",
"version": "c1abe6f570aff4b6d396dc551e60570d2f50bd79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix missing initialisation affecting gcm-aes-s390\n\nFix af_alg_alloc_areq() to initialise areq-\u003efirst_rsgl.sgl.sgt.sgl to point\nto the scatterlist array in areq-\u003efirst_rsgl.sgl.sgl.\n\nWithout this, the gcm-aes-s390 driver will oops when it tries to do\ngcm_walk_start() on req-\u003edst because req-\u003edst is set to the value of\nareq-\u003efirst_rsgl.sgl.sgl by _aead_recvmsg() calling\naead_request_set_crypt().\n\nThe problem comes if an empty ciphertext is passed: the loop in\naf_alg_get_rsgl() just passes straight out and doesn\u0027t set areq-\u003efirst_rsgl\nup.\n\nThis isn\u0027t a problem on x86_64 using gcmaes_crypt_by_sg() because, as far\nas I can tell, that ignores req-\u003edst and only uses req-\u003esrc[*].\n\n[*] Is this a bug in aesni-intel_glue.c?\n\nThe s390x oops looks something like:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 0000000a00000000 TEID: 0000000a00000803\n Fault in home space mode while using kernel ASCE.\n AS:00000000a43a0007 R3:0000000000000024\n Oops: 003b ilc:2 [#1] SMP\n ...\n Call Trace:\n [\u003c000003ff7fc3d47e\u003e] gcm_walk_start+0x16/0x28 [aes_s390]\n [\u003c00000000a2a342f2\u003e] crypto_aead_decrypt+0x9a/0xb8\n [\u003c00000000a2a60888\u003e] aead_recvmsg+0x478/0x698\n [\u003c00000000a2e519a0\u003e] sock_recvmsg+0x70/0xb0\n [\u003c00000000a2e51a56\u003e] sock_read_iter+0x76/0xa0\n [\u003c00000000a273e066\u003e] vfs_read+0x26e/0x2a8\n [\u003c00000000a273e8c4\u003e] ksys_read+0xbc/0x100\n [\u003c00000000a311d808\u003e] __do_syscall+0x1d0/0x1f8\n [\u003c00000000a312ff30\u003e] system_call+0x70/0x98\n Last Breaking-Event-Address:\n [\u003c000003ff7fc3e6b4\u003e] gcm_aes_crypt+0x104/0xa68 [aes_s390]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T15:44:11.096Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c9d205040d7c0eaccc473917f9b0bb0a923e440"
},
{
"url": "https://git.kernel.org/stable/c/6a4b8aa0a916b39a39175584c07222434fa6c6ef"
}
],
"title": "crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53599",
"datePublished": "2025-10-04T15:44:11.096Z",
"dateReserved": "2025-10-04T15:40:38.479Z",
"dateUpdated": "2025-10-04T15:44:11.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-53599\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-04T16:15:56.497\",\"lastModified\":\"2025-10-06T14:56:21.733\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncrypto: af_alg - Fix missing initialisation affecting gcm-aes-s390\\n\\nFix af_alg_alloc_areq() to initialise areq-\u003efirst_rsgl.sgl.sgt.sgl to point\\nto the scatterlist array in areq-\u003efirst_rsgl.sgl.sgl.\\n\\nWithout this, the gcm-aes-s390 driver will oops when it tries to do\\ngcm_walk_start() on req-\u003edst because req-\u003edst is set to the value of\\nareq-\u003efirst_rsgl.sgl.sgl by _aead_recvmsg() calling\\naead_request_set_crypt().\\n\\nThe problem comes if an empty ciphertext is passed: the loop in\\naf_alg_get_rsgl() just passes straight out and doesn\u0027t set areq-\u003efirst_rsgl\\nup.\\n\\nThis isn\u0027t a problem on x86_64 using gcmaes_crypt_by_sg() because, as far\\nas I can tell, that ignores req-\u003edst and only uses req-\u003esrc[*].\\n\\n[*] Is this a bug in aesni-intel_glue.c?\\n\\nThe s390x oops looks something like:\\n\\n Unable to handle kernel pointer dereference in virtual kernel address space\\n Failing address: 0000000a00000000 TEID: 0000000a00000803\\n Fault in home space mode while using kernel ASCE.\\n AS:00000000a43a0007 R3:0000000000000024\\n Oops: 003b ilc:2 [#1] SMP\\n ...\\n Call Trace:\\n [\u003c000003ff7fc3d47e\u003e] gcm_walk_start+0x16/0x28 [aes_s390]\\n [\u003c00000000a2a342f2\u003e] crypto_aead_decrypt+0x9a/0xb8\\n [\u003c00000000a2a60888\u003e] aead_recvmsg+0x478/0x698\\n [\u003c00000000a2e519a0\u003e] sock_recvmsg+0x70/0xb0\\n [\u003c00000000a2e51a56\u003e] sock_read_iter+0x76/0xa0\\n [\u003c00000000a273e066\u003e] vfs_read+0x26e/0x2a8\\n [\u003c00000000a273e8c4\u003e] ksys_read+0xbc/0x100\\n [\u003c00000000a311d808\u003e] __do_syscall+0x1d0/0x1f8\\n [\u003c00000000a312ff30\u003e] system_call+0x70/0x98\\n Last Breaking-Event-Address:\\n [\u003c000003ff7fc3e6b4\u003e] gcm_aes_crypt+0x104/0xa68 [aes_s390]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c9d205040d7c0eaccc473917f9b0bb0a923e440\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6a4b8aa0a916b39a39175584c07222434fa6c6ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}