CVE-2023-54007 (GCVE-0-2023-54007)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
Title
vmci_host: fix a race condition in vmci_host_poll() causing GPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmci_host: fix a race condition in vmci_host_poll() causing GPF
During fuzzing, a general protection fault is observed in
vmci_host_poll().
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
<- omitting registers ->
Call Trace:
<TASK>
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22
poll_wait include/linux/poll.h:49 [inline]
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
vfs_poll include/linux/poll.h:88 [inline]
do_pollfd fs/select.c:873 [inline]
do_poll fs/select.c:921 [inline]
do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015
__do_sys_ppoll fs/select.c:1121 [inline]
__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Example thread interleaving that causes the general protection fault
is as follows:
CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)
----- -----
// Read uninitialized context
context = vmci_host_dev->context;
// Initialize context
vmci_host_dev->context = vmci_ctx_create();
vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;
if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {
// Dereferencing the wrong pointer
poll_wait(..., &context->host_context);
}
In this scenario, vmci_host_poll() reads vmci_host_dev->context first,
and then reads vmci_host_dev->ct_type to check that
vmci_host_dev->context is initialized. However, since these two reads
are not atomically executed, there is a chance of a race condition as
described above.
To fix this race condition, read vmci_host_dev->context after checking
the value of vmci_host_dev->ct_type so that vmci_host_poll() always
reads an initialized context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 2053e93ac15519ed1f1fe6eba79a33a4963be4a3
(git)
Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ca0f4ad2b7a36c799213ef0a213eb977a51e03dc (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 770d30b1355c6c8879973dd054fca9168def182c (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < d22b2a35729cb1de311cb650cd67518a24e13fc9 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 67e35824f861a05b44b19d38e16a83f653bd9d92 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ab64bd32b9fac27ff4737d63711b9db5e5462448 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ae13381da5ff0e8e084c0323c3cc0a945e43e9c7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2053e93ac15519ed1f1fe6eba79a33a4963be4a3",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ca0f4ad2b7a36c799213ef0a213eb977a51e03dc",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "770d30b1355c6c8879973dd054fca9168def182c",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "d22b2a35729cb1de311cb650cd67518a24e13fc9",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "67e35824f861a05b44b19d38e16a83f653bd9d92",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ab64bd32b9fac27ff4737d63711b9db5e5462448",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ae13381da5ff0e8e084c0323c3cc0a945e43e9c7",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n\u003c- omitting registers -\u003e\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev-\u003econtext;\n // Initialize context\n vmci_host_dev-\u003econtext = vmci_ctx_create();\n vmci_host_dev-\u003ect_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev-\u003ect_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., \u0026context-\u003ehost_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev-\u003econtext first,\nand then reads vmci_host_dev-\u003ect_type to check that\nvmci_host_dev-\u003econtext is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev-\u003econtext after checking\nthe value of vmci_host_dev-\u003ect_type so that vmci_host_poll() always\nreads an initialized context."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:41.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"
},
{
"url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"
},
{
"url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"
},
{
"url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"
},
{
"url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"
},
{
"url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"
},
{
"url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"
},
{
"url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"
}
],
"title": "vmci_host: fix a race condition in vmci_host_poll() causing GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54007",
"datePublished": "2025-12-24T10:55:41.281Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:41.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54007\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:53.633\",\"lastModified\":\"2025-12-29T15:58:56.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\\n\\nDuring fuzzing, a general protection fault is observed in\\nvmci_host_poll().\\n\\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\\n\u003c- omitting registers -\u003e\\nCall Trace:\\n \u003cTASK\u003e\\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\\n poll_wait include/linux/poll.h:49 [inline]\\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\\n vfs_poll include/linux/poll.h:88 [inline]\\n do_pollfd fs/select.c:873 [inline]\\n do_poll fs/select.c:921 [inline]\\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\\n __do_sys_ppoll fs/select.c:1121 [inline]\\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nExample thread interleaving that causes the general protection fault\\nis as follows:\\n\\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\\n----- -----\\n// Read uninitialized context\\ncontext = vmci_host_dev-\u003econtext;\\n // Initialize context\\n vmci_host_dev-\u003econtext = vmci_ctx_create();\\n vmci_host_dev-\u003ect_type = VMCIOBJ_CONTEXT;\\n\\nif (vmci_host_dev-\u003ect_type == VMCIOBJ_CONTEXT) {\\n // Dereferencing the wrong pointer\\n poll_wait(..., \u0026context-\u003ehost_context);\\n}\\n\\nIn this scenario, vmci_host_poll() reads vmci_host_dev-\u003econtext first,\\nand then reads vmci_host_dev-\u003ect_type to check that\\nvmci_host_dev-\u003econtext is initialized. However, since these two reads\\nare not atomically executed, there is a chance of a race condition as\\ndescribed above.\\n\\nTo fix this race condition, read vmci_host_dev-\u003econtext after checking\\nthe value of vmci_host_dev-\u003ect_type so that vmci_host_poll() always\\nreads an initialized context.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…