fkie_cve-2023-53363
Vulnerability from fkie_nvd
Published
2025-09-17 15:15
Modified
2025-09-18 13:43
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: PCI: Fix use-after-free in pci_bus_release_domain_nr() Commit c14f7ccc9f5d ("PCI: Assign PCI domain IDs by ida_alloc()") introduced a use-after-free bug in the bus removal cleanup. The issue was found with kfence: [ 19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70 [ 19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115): [ 19.309677] pci_bus_release_domain_nr+0x10/0x70 [ 19.309691] dw_pcie_host_deinit+0x28/0x78 [ 19.309702] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.309734] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.309752] platform_probe+0x90/0xd8 ... [ 19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k [ 19.311469] allocated by task 96 on cpu 10 at 19.279323s: [ 19.311562] __kmem_cache_alloc_node+0x260/0x278 [ 19.311571] kmalloc_trace+0x24/0x30 [ 19.311580] pci_alloc_bus+0x24/0xa0 [ 19.311590] pci_register_host_bridge+0x48/0x4b8 [ 19.311601] pci_scan_root_bus_bridge+0xc0/0xe8 [ 19.311613] pci_host_probe+0x18/0xc0 [ 19.311623] dw_pcie_host_init+0x2c0/0x568 [ 19.311630] tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194] [ 19.311647] platform_probe+0x90/0xd8 ... [ 19.311782] freed by task 96 on cpu 10 at 19.285833s: [ 19.311799] release_pcibus_dev+0x30/0x40 [ 19.311808] device_release+0x30/0x90 [ 19.311814] kobject_put+0xa8/0x120 [ 19.311832] device_unregister+0x20/0x30 [ 19.311839] pci_remove_bus+0x78/0x88 [ 19.311850] pci_remove_root_bus+0x5c/0x98 [ 19.311860] dw_pcie_host_deinit+0x28/0x78 [ 19.311866] tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194] [ 19.311883] tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194] [ 19.311900] platform_probe+0x90/0xd8 ... [ 19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4 [ 19.320171] Hardware name: /, BIOS 1.0-d7fb19b 08/10/2022 [ 19.325852] Workqueue: events_unbound deferred_probe_work_func The stack trace is a bit misleading as dw_pcie_host_deinit() doesn't directly call pci_bus_release_domain_nr(). The issue turns out to be in pci_remove_root_bus() which first calls pci_remove_bus() which frees the struct pci_bus when its struct device is released. Then pci_bus_release_domain_nr() is called and accesses the freed struct pci_bus. Reordering these fixes the issue.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/30ba2d09edb5ea857a1473ae3d820911347ada62
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/52b0343c7d628f37b38e3279ba585526b850ad3b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad367516b1c09317111255ecfbf5e42c33e31918
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fbf45385e3419b8698b5e0a434847072375cfec2
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix use-after-free in pci_bus_release_domain_nr()\n\nCommit c14f7ccc9f5d (\"PCI: Assign PCI domain IDs by ida_alloc()\")\nintroduced a use-after-free bug in the bus removal cleanup. The issue was\nfound with kfence:\n\n  [   19.293351] BUG: KFENCE: use-after-free read in pci_bus_release_domain_nr+0x10/0x70\n\n  [   19.302817] Use-after-free read at 0x000000007f3b80eb (in kfence-#115):\n  [   19.309677]  pci_bus_release_domain_nr+0x10/0x70\n  [   19.309691]  dw_pcie_host_deinit+0x28/0x78\n  [   19.309702]  tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n  [   19.309734]  tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n  [   19.309752]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.311457] kfence-#115: 0x00000000063a155a-0x00000000ba698da8, size=1072, cache=kmalloc-2k\n\n  [   19.311469] allocated by task 96 on cpu 10 at 19.279323s:\n  [   19.311562]  __kmem_cache_alloc_node+0x260/0x278\n  [   19.311571]  kmalloc_trace+0x24/0x30\n  [   19.311580]  pci_alloc_bus+0x24/0xa0\n  [   19.311590]  pci_register_host_bridge+0x48/0x4b8\n  [   19.311601]  pci_scan_root_bus_bridge+0xc0/0xe8\n  [   19.311613]  pci_host_probe+0x18/0xc0\n  [   19.311623]  dw_pcie_host_init+0x2c0/0x568\n  [   19.311630]  tegra_pcie_dw_probe+0x610/0xb28 [pcie_tegra194]\n  [   19.311647]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.311782] freed by task 96 on cpu 10 at 19.285833s:\n  [   19.311799]  release_pcibus_dev+0x30/0x40\n  [   19.311808]  device_release+0x30/0x90\n  [   19.311814]  kobject_put+0xa8/0x120\n  [   19.311832]  device_unregister+0x20/0x30\n  [   19.311839]  pci_remove_bus+0x78/0x88\n  [   19.311850]  pci_remove_root_bus+0x5c/0x98\n  [   19.311860]  dw_pcie_host_deinit+0x28/0x78\n  [   19.311866]  tegra_pcie_deinit_controller+0x1c/0x38 [pcie_tegra194]\n  [   19.311883]  tegra_pcie_dw_probe+0x648/0xb28 [pcie_tegra194]\n  [   19.311900]  platform_probe+0x90/0xd8\n  ...\n\n  [   19.313579] CPU: 10 PID: 96 Comm: kworker/u24:2 Not tainted 6.2.0 #4\n  [   19.320171] Hardware name:  /, BIOS 1.0-d7fb19b 08/10/2022\n  [   19.325852] Workqueue: events_unbound deferred_probe_work_func\n\nThe stack trace is a bit misleading as dw_pcie_host_deinit() doesn\u0027t\ndirectly call pci_bus_release_domain_nr(). The issue turns out to be in\npci_remove_root_bus() which first calls pci_remove_bus() which frees the\nstruct pci_bus when its struct device is released. Then\npci_bus_release_domain_nr() is called and accesses the freed struct\npci_bus. Reordering these fixes the issue."
    }
  ],
  "id": "CVE-2023-53363",
  "lastModified": "2025-09-18T13:43:34.310",
  "metrics": {},
  "published": "2025-09-17T15:15:40.503",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/07a75c0050e59c50f038cc5f4e2a3258c8f8c9d0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/30ba2d09edb5ea857a1473ae3d820911347ada62"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/52b0343c7d628f37b38e3279ba585526b850ad3b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ad367516b1c09317111255ecfbf5e42c33e31918"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fbf45385e3419b8698b5e0a434847072375cfec2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.