FKIE_CVE-2023-53026
Vulnerability from fkie_nvd - Published: 2025-03-27 17:15 - Updated: 2026-06-17 06:44
Severity
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix ib block iterator counter overflow
When registering a new DMA MR after selecting the best aligned page size
for it, we iterate over the given sglist to split each entry to smaller,
aligned to the selected page size, DMA blocks.
In given circumstances where the sg entry and page size fit certain
sizes and the sg entry is not aligned to the selected page size, the
total size of the aligned pages we need to cover the sg entry is >= 4GB.
Under this circumstances, while iterating page aligned blocks, the
counter responsible for counting how much we advanced from the start of
the sg entry is overflowed because its type is u32 and we pass 4GB in
size. This can lead to an infinite loop inside the iterator function
because the overflow prevents the counter to be larger
than the size of the sg entry.
Fix the presented problem by changing the advancement condition to
eliminate overflow.
Backtrace:
[ 192.374329] efa_reg_user_mr_dmabuf
[ 192.376783] efa_register_mr
[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000
[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]
[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3
[ 192.399559] hp_cnt[3], pages_in_hp[524288]
[ 192.403690] umem->sgt_append.sgt.nents[1]
[ 192.407905] number entries: [1], pg_bit: [31]
[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]
[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]
[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.2 | |
| linux | linux_kernel | 6.2 | |
| linux | linux_kernel | 6.2 | |
| linux | linux_kernel | 6.2 |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "902063a9fea5f8252df392ade746bc9cfd07a5ae",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "d66c1d4178c219b6e7d7a6f714e3e3656faccc36",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "362c9489720b31b6aa7491423ba65a4e98aa9838",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "43811d07ea64366af8ec9e168c558ec51440c39e",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "0afec5e9cea732cb47014655685a2a47fb180c31",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE5CA7CE-9223-4A0E-9EC7-CD255B30BD3B",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A44D9D24-661C-40D4-8735-4CEB1C7C02F2",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C2E92D-CC25-4FBD-8824-56A148119D7E",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED5B6045-B1D2-4E03-B194-9005A351BCAE",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*",
"matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix ib block iterator counter overflow\n\nWhen registering a new DMA MR after selecting the best aligned page size\nfor it, we iterate over the given sglist to split each entry to smaller,\naligned to the selected page size, DMA blocks.\n\nIn given circumstances where the sg entry and page size fit certain\nsizes and the sg entry is not aligned to the selected page size, the\ntotal size of the aligned pages we need to cover the sg entry is \u003e= 4GB.\nUnder this circumstances, while iterating page aligned blocks, the\ncounter responsible for counting how much we advanced from the start of\nthe sg entry is overflowed because its type is u32 and we pass 4GB in\nsize. This can lead to an infinite loop inside the iterator function\nbecause the overflow prevents the counter to be larger\nthan the size of the sg entry.\n\nFix the presented problem by changing the advancement condition to\neliminate overflow.\n\nBacktrace:\n[ 192.374329] efa_reg_user_mr_dmabuf\n[ 192.376783] efa_register_mr\n[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000\n[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]\n[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3\n[ 192.399559] hp_cnt[3], pages_in_hp[524288]\n[ 192.403690] umem-\u003esgt_append.sgt.nents[1]\n[ 192.407905] number entries: [1], pg_bit: [31]\n[ 192.411397] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.415601] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]\n[ 192.419823] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.423976] biter-\u003e__sg_advance [2813321216] sg_dma_len[3221225472]\n[ 192.428243] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.432397] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/core: Fix ib block iterator counter overflow Al registrar un nuevo DMA MR despu\u00e9s de seleccionar el mejor tama\u00f1o de p\u00e1gina alineado para \u00e9l, iteramos sobre la sglist dada para dividir cada entrada en bloques DMA m\u00e1s peque\u00f1os, alineados con el tama\u00f1o de p\u00e1gina seleccionado. En determinadas circunstancias en las que la entrada sg y el tama\u00f1o de p\u00e1gina se ajustan a ciertos tama\u00f1os y la entrada sg no est\u00e1 alineada con el tama\u00f1o de p\u00e1gina seleccionado, el tama\u00f1o total de las p\u00e1ginas alineadas que necesitamos para cubrir la entrada sg es \u0026gt;= 4 GB. En estas circunstancias, al iterar bloques alineados de p\u00e1gina, el contador responsable de contar cu\u00e1nto avanzamos desde el inicio de la entrada sg se desborda porque su tipo es u32 y pasamos 4 GB de tama\u00f1o. Esto puede llevar a un bucle infinito dentro de la funci\u00f3n del iterador porque el desbordamiento impide que el contador sea mayor que el tama\u00f1o de la entrada sg. Solucione el problema presentado cambiando la condici\u00f3n de avance para eliminar el desbordamiento. Backtrace: [ 192.374329] efa_reg_user_mr_dmabuf [ 192.376783] efa_register_mr [ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000 [ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000] [ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3 [ 192.399559] hp_cnt[3], pages_in_hp[524288] [ 192.403690] umem-\u0026gt;sgt_append.sgt.nents[1] [ 192.407905] number entries: [1], pg_bit: [31] [ 192.411397] biter-\u0026gt;__sg_nents [1] biter-\u0026gt;__sg [0000000008b0c5d8] [ 192.415601] biter-\u0026gt;__sg_advance [665837568] sg_dma_len[3221225472] [ 192.419823] biter-\u0026gt;__sg_nents [1] biter-\u0026gt;__sg [0000000008b0c5d8] [ 192.423976] biter-\u0026gt;__sg_advance [2813321216] sg_dma_len[3221225472] [ 192.428243] biter-\u0026gt;__sg_nents [1] biter-\u0026gt;__sg [0000000008b0c5d8] [ 192.432397] biter-\u0026gt;__sg_advance [665837568] sg_dma_len[3221225472] "
}
],
"id": "CVE-2023-53026",
"lastModified": "2026-06-17T06:44:09.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2023-53026",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:18:44.025281Z",
"version": "2.0.3"
}
}
]
},
"published": "2025-03-27T17:15:52.250",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/0afec5e9cea732cb47014655685a2a47fb180c31"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/362c9489720b31b6aa7491423ba65a4e98aa9838"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/43811d07ea64366af8ec9e168c558ec51440c39e"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/902063a9fea5f8252df392ade746bc9cfd07a5ae"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
],
"url": "https://git.kernel.org/stable/c/d66c1d4178c219b6e7d7a6f714e3e3656faccc36"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-835"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…