fkie_cve-2023-53169
Vulnerability from fkie_nvd
Published
2025-09-15 14:15
Modified
2025-09-15 15:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/resctrl: Clear staged_config[] before and after it is used As a temporary storage, staged_config[] in rdt_domain should be cleared before and after it is used. The stale value in staged_config[] could cause an MSR access error. Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3 Cache (MBA should be disabled if the number of CLOSIDs for MB is less than 16.) : mount -t resctrl resctrl -o cdp /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..7} umount /sys/fs/resctrl/ mount -t resctrl resctrl /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..8} An error occurs when creating resource group named p8: unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60) Call Trace: <IRQ> __flush_smp_call_function_queue+0x11d/0x170 __sysvec_call_function+0x24/0xd0 sysvec_call_function+0x89/0xc0 </IRQ> <TASK> asm_sysvec_call_function+0x16/0x20 When creating a new resource control group, hardware will be configured by the following process: rdtgroup_mkdir() rdtgroup_mkdir_ctrl_mon() rdtgroup_init_alloc() resctrl_arch_update_domains() resctrl_arch_update_domains() iterates and updates all resctrl_conf_type whose have_new_ctrl is true. Since staged_config[] holds the same values as when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA configurations. When group p8 is created, get_config_index() called in resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for CDP_CODE and CDP_DATA, which will be translated to an invalid register - 0xca0 in this scenario. Fix it by clearing staged_config[] before and after it is used. [reinette: re-order commit tags]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0424a7dfe9129b93f29b277511a60e87f052ac6b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3fc5941ecc31a495b6b84b465f36155009db99b5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/86db319d25db70cf4af4557e05f6fa6f39c70003
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8ecc60ef9318f0d533b866fa421858cc185bccfc
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/resctrl: Clear staged_config[] before and after it is used\n\nAs a temporary storage, staged_config[] in rdt_domain should be cleared\nbefore and after it is used. The stale value in staged_config[] could\ncause an MSR access error.\n\nHere is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3\nCache (MBA should be disabled if the number of CLOSIDs for MB is less than\n16.) :\n\tmount -t resctrl resctrl -o cdp /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..7}\n\tumount /sys/fs/resctrl/\n\tmount -t resctrl resctrl /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..8}\n\nAn error occurs when creating resource group named p8:\n    unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60)\n    Call Trace:\n     \u003cIRQ\u003e\n     __flush_smp_call_function_queue+0x11d/0x170\n     __sysvec_call_function+0x24/0xd0\n     sysvec_call_function+0x89/0xc0\n     \u003c/IRQ\u003e\n     \u003cTASK\u003e\n     asm_sysvec_call_function+0x16/0x20\n\nWhen creating a new resource control group, hardware will be configured\nby the following process:\n    rdtgroup_mkdir()\n      rdtgroup_mkdir_ctrl_mon()\n        rdtgroup_init_alloc()\n          resctrl_arch_update_domains()\n\nresctrl_arch_update_domains() iterates and updates all resctrl_conf_type\nwhose have_new_ctrl is true. Since staged_config[] holds the same values as\nwhen CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA\nconfigurations. When group p8 is created, get_config_index() called in\nresctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for\nCDP_CODE and CDP_DATA, which will be translated to an invalid register -\n0xca0 in this scenario.\n\nFix it by clearing staged_config[] before and after it is used.\n\n[reinette: re-order commit tags]"
    }
  ],
  "id": "CVE-2023-53169",
  "lastModified": "2025-09-15T15:22:27.090",
  "metrics": {},
  "published": "2025-09-15T14:15:38.693",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0424a7dfe9129b93f29b277511a60e87f052ac6b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3fc5941ecc31a495b6b84b465f36155009db99b5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/86db319d25db70cf4af4557e05f6fa6f39c70003"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8ecc60ef9318f0d533b866fa421858cc185bccfc"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.