CVE-2023-54137 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51
https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a
https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132
https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9
https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1
https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 / __u32 flags; / 8 4 / / XXX 4 bytes hole, try to pack / __u64 pgsize_bitmap; / 16 8 / __u64 max_dirty_bitmap_size; / 24 8 / / size: 32, cachelines: 1, members: 4 / / sum members: 28, holes: 1, sum holes: 4 / / last cacheline: 32 bytes / }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu iommu, struct vfio_info_cap caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; / support minimum pgsize / cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap caps, struct vfio_info_cap_header cap, size_t size) { struct vfio_info_cap_header header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size - sizeof(*header)); return 0; } This issue was found by code inspection.
Title		vfio/type1: fix cap_migration information leak
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51 https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132 https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9 https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1 https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54137", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T13:02:52.522Z", "datePublished": "2025-12-24T13:06:52.689Z", "dateUpdated": "2025-12-24T13:06:52.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T13:06:52.689Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap->id, cap->version);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/vfio_iommu_type1.c"], "versions": [{"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "ad83d83dd891244de0d07678b257dc976db7c132", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "13fd667db999bffb557c5de7adb3c14f1713dd51", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "f6f300ecc196d243c02adeb9ee0c62c677c24bfb", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "cbac29a1caa49a34e131394e1f4d924a76d8b0c9", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "1b5feb8497cdb5b9962db2700814bffbc030fb4a", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "cd24e2a60af633f157d7e59c0a6dba64f131c0b1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/vfio_iommu_type1.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.195", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.132", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.53", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.16", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.3", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.195"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.132"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.4.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.5.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132"}, {"url": "https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51"}, {"url": "https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb"}, {"url": "https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9"}, {"url": "https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a"}, {"url": "https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1"}], "title": "vfio/type1: fix cap_migration information leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap->id, cap->version);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection."}], "id": "CVE-2023-54137", "lastModified": "2025-12-24T13:16:15.693", "metrics": {}, "published": "2025-12-24T13:16:15.693", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object