CVE-2023-53795 (GCVE-0-2023-53795)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY); if (IS_ERR(obj)) return PTR_ERR(obj); iommufd_ref_to_users(obj); /* See iommufd_ref_to_users() */ if (!iommufd_object_destroy_user(ucmd->ictx, obj)) As part of the sequence to join the two existing primitives together. Allowing the refcount the be elevated without holding the destroy_rwsem violates the assumption that all temporary refcount elevations are protected by destroy_rwsem. Racing IOMMUFD_DESTROY with iommufd_object_destroy_user() will cause spurious failures: WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478 Modules linked in: CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477 Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41 RSP: 0018:ffffc90003067e08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500 R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88 R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0 Call Trace: <TASK> iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline] iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813 iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The solution is to not increment the refcount on the IOMMUFD_DESTROY path at all. Instead use the xa_lock to serialize everything. The refcount check == 1 and xa_erase can be done under a single critical region. This avoids the need for any refcount incrementing. It has the downside that if userspace races destroy with other operations it will get an EBUSY instead of waiting, but this is kind of racing is already dangerous.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2 , < 495b327435b0298e9b3b434f5834d459a93673ce (git)
Affected: 2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2 , < 99f98a7c0d6985d5507c8130a981972e4b7b3bdc (git)
Create a notification for this product.
    Linux Linux Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.4.8 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/device.c",
            "drivers/iommu/iommufd/iommufd_private.h",
            "drivers/iommu/iommufd/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "495b327435b0298e9b3b434f5834d459a93673ce",
              "status": "affected",
              "version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
              "versionType": "git"
            },
            {
              "lessThan": "99f98a7c0d6985d5507c8130a981972e4b7b3bdc",
              "status": "affected",
              "version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/device.c",
            "drivers/iommu/iommufd/iommufd_private.h",
            "drivers/iommu/iommufd/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: IOMMUFD_DESTROY should not increase the refcount\n\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\n\n       obj = iommufd_get_object(ucmd-\u003eictx, cmd-\u003eid, IOMMUFD_OBJ_ANY);\n       if (IS_ERR(obj))\n               return PTR_ERR(obj);\n       iommufd_ref_to_users(obj);\n       /* See iommufd_ref_to_users() */\n       if (!iommufd_object_destroy_user(ucmd-\u003eictx, obj))\n\nAs part of the sequence to join the two existing primitives together.\n\nAllowing the refcount the be elevated without holding the destroy_rwsem\nviolates the assumption that all temporary refcount elevations are\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\niommufd_object_destroy_user() will cause spurious failures:\n\n  WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\n  Modules linked in:\n  CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\n  RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\n  Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 \u003c0f\u003e 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\n  RSP: 0018:ffffc90003067e08 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\n  RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\n  RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\n  R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\n  R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\n  FS:  00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\n  Call Trace:\n   \u003cTASK\u003e\n   iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\n   iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\n   iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:870 [inline]\n   __se_sys_ioctl fs/ioctl.c:856 [inline]\n   __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n   do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\nat all. Instead use the xa_lock to serialize everything. The refcount\ncheck == 1 and xa_erase can be done under a single critical region. This\navoids the need for any refcount incrementing.\n\nIt has the downside that if userspace races destroy with other operations\nit will get an EBUSY instead of waiting, but this is kind of racing is\nalready dangerous."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:51.992Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc"
        }
      ],
      "title": "iommufd: IOMMUFD_DESTROY should not increase the refcount",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53795",
    "datePublished": "2025-12-09T00:00:51.992Z",
    "dateReserved": "2025-12-08T23:58:35.274Z",
    "dateUpdated": "2025-12-09T00:00:51.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53795\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T01:16:51.080\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommufd: IOMMUFD_DESTROY should not increase the refcount\\n\\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\\n\\n       obj = iommufd_get_object(ucmd-\u003eictx, cmd-\u003eid, IOMMUFD_OBJ_ANY);\\n       if (IS_ERR(obj))\\n               return PTR_ERR(obj);\\n       iommufd_ref_to_users(obj);\\n       /* See iommufd_ref_to_users() */\\n       if (!iommufd_object_destroy_user(ucmd-\u003eictx, obj))\\n\\nAs part of the sequence to join the two existing primitives together.\\n\\nAllowing the refcount the be elevated without holding the destroy_rwsem\\nviolates the assumption that all temporary refcount elevations are\\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\\niommufd_object_destroy_user() will cause spurious failures:\\n\\n  WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\\n  Modules linked in:\\n  CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\\n  RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\\n  Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 \u003c0f\u003e 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\\n  RSP: 0018:ffffc90003067e08 EFLAGS: 00010246\\n  RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\\n  RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\\n  RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\\n  R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\\n  R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\\n  FS:  00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\\n  Call Trace:\\n   \u003cTASK\u003e\\n   iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\\n   iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\\n   iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\\n   vfs_ioctl fs/ioctl.c:51 [inline]\\n   __do_sys_ioctl fs/ioctl.c:870 [inline]\\n   __se_sys_ioctl fs/ioctl.c:856 [inline]\\n   __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n   do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\\nat all. Instead use the xa_lock to serialize everything. The refcount\\ncheck == 1 and xa_erase can be done under a single critical region. This\\navoids the need for any refcount incrementing.\\n\\nIt has the downside that if userspace races destroy with other operations\\nit will get an EBUSY instead of waiting, but this is kind of racing is\\nalready dangerous.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.