ghsa-xwrx-f4gw-ff4g
Vulnerability from github
Published
2025-10-07 18:31
Modified
2025-10-07 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix unpinning of pages when an access is present

syzkaller found that the calculation of batch_last_index should use 'start_index' since at input to this function the batch is either empty or it has already been adjusted to cross any accesses so it will start at the point we are unmapping from.

Getting this wrong causes the unmap to run over the end of the pages which corrupts pages that were never mapped. In most cases this triggers the num pinned debugging:

WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560 Modules linked in: CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__iopt_area_unfill_domain+0x152/0x560 Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54 RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85 RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002 RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014 R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004 R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800 FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: iopt_area_unfill_domain+0x32/0x40 iopt_table_remove_domain+0x23f/0x4c0 iommufd_device_selftest_detach+0x3a/0x90 iommufd_selftest_destroy+0x55/0x70 iommufd_object_destroy_user+0xce/0x130 iommufd_destroy+0xa2/0xc0 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc

Also add some useful WARN_ON sanity checks.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53630"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix unpinning of pages when an access is present\n\nsyzkaller found that the calculation of batch_last_index should use\n\u0027start_index\u0027 since at input to this function the batch is either empty or\nit has already been adjusted to cross any accesses so it will start at the\npoint we are unmapping from.\n\nGetting this wrong causes the unmap to run over the end of the pages\nwhich corrupts pages that were never mapped. In most cases this triggers\nthe num pinned debugging:\n\n  WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560\n  Modules linked in:\n  CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:__iopt_area_unfill_domain+0x152/0x560\n  Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff \u003c0f\u003e 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54\n  RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85\n  RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002\n  RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014\n  R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004\n  R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800\n  FS:  00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   iopt_area_unfill_domain+0x32/0x40\n   iopt_table_remove_domain+0x23f/0x4c0\n   iommufd_device_selftest_detach+0x3a/0x90\n   iommufd_selftest_destroy+0x55/0x70\n   iommufd_object_destroy_user+0xce/0x130\n   iommufd_destroy+0xa2/0xc0\n   iommufd_fops_ioctl+0x206/0x330\n   __x64_sys_ioctl+0x10e/0x160\n   do_syscall_64+0x3b/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAlso add some useful WARN_ON sanity checks.",
  "id": "GHSA-xwrx-f4gw-ff4g",
  "modified": "2025-10-07T18:31:09Z",
  "published": "2025-10-07T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53630"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70726ce4d898db57bfc4ae30ecd7da63b0dd0aa4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/727c28c1cef2bc013d2c8bb6c50e410a3882a04e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.