FKIE_CVE-2023-54325

Vulnerability from fkie_nvd - Published: 2025-12-30 13:16 - Updated: 2026-06-17 06:47
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix out-of-bounds read When preparing an AER-CTR request, the driver copies the key provided by the user into a data structure that is accessible by the firmware. If the target device is QAT GEN4, the key size is rounded up by 16 since a rounded up size is expected by the device. If the key size is rounded up before the copy, the size used for copying the key might be bigger than the size of the region containing the key, causing an out-of-bounds read. Fix by doing the copy first and then update the keylen. This is to fix the following warning reported by KASAN: [ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340 [ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45 [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022 [ 138.150663] Call Trace: [ 138.150668] <TASK> [ 138.150922] kasan_check_range+0x13a/0x1c0 [ 138.150931] memcpy+0x1f/0x60 [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat] [ 138.151073] crypto_skcipher_setkey+0x82/0x160 [ 138.151085] ? prepare_keybuf+0xa2/0xd0 [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7697139d5dfd491f4c495a914a1dd68f6e827a0f",
              "status": "affected",
              "version": "67916c9516893528ecce060ada1f58af0ce33d93",
              "versionType": "git"
            },
            {
              "lessThan": "dc3809f390357c8992f0a23083da934a20fef9af",
              "status": "affected",
              "version": "67916c9516893528ecce060ada1f58af0ce33d93",
              "versionType": "git"
            },
            {
              "lessThan": "2b1501f058245573a3aa6bf234d205dde1196184",
              "status": "affected",
              "version": "67916c9516893528ecce060ada1f58af0ce33d93",
              "versionType": "git"
            },
            {
              "lessThan": "f6044cc3030e139f60c281386f28bda6e3049d66",
              "status": "affected",
              "version": "67916c9516893528ecce060ada1f58af0ce33d93",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/qat/qat_common/qat_algs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix out-of-bounds read\n\nWhen preparing an AER-CTR request, the driver copies the key provided by\nthe user into a data structure that is accessible by the firmware.\nIf the target device is QAT GEN4, the key size is rounded up by 16 since\na rounded up size is expected by the device.\nIf the key size is rounded up before the copy, the size used for copying\nthe key might be bigger than the size of the region containing the key,\ncausing an out-of-bounds read.\n\nFix by doing the copy first and then update the keylen.\n\nThis is to fix the following warning reported by KASAN:\n\n\t[  138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[  138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340\n\n\t[  138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45\n\t[  138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n\t[  138.150663] Call Trace:\n\t[  138.150668]  \u003cTASK\u003e\n\t[  138.150922]  kasan_check_range+0x13a/0x1c0\n\t[  138.150931]  memcpy+0x1f/0x60\n\t[  138.150940]  qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[  138.151006]  qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n\t[  138.151073]  crypto_skcipher_setkey+0x82/0x160\n\t[  138.151085]  ? prepare_keybuf+0xa2/0xd0\n\t[  138.151095]  test_skcipher_vec_cfg+0x2b8/0x800"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncrypto: qat - correcci\u00f3n de lectura fuera de l\u00edmites\n\nAl preparar una solicitud AER-CTR, el controlador copia la clave proporcionada por el usuario en una estructura de datos que es accesible por el firmware.\nSi el dispositivo de destino es QAT GEN4, el tama\u00f1o de la clave se redondea hacia arriba en 16 ya que el dispositivo espera un tama\u00f1o redondeado.\nSi el tama\u00f1o de la clave se redondea hacia arriba antes de la copia, el tama\u00f1o utilizado para copiar la clave podr\u00eda ser mayor que el tama\u00f1o de la regi\u00f3n que contiene la clave, causando una lectura fuera de l\u00edmites.\n\nCorrecci\u00f3n realizando primero la copia y luego actualizando el keylen.\n\nEsto es para corregir la siguiente advertencia reportada por KASAN:\n\n\t[  138.150574] BUG: KASAN: global-out-of-bounds en qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[  138.150641] Lectura de tama\u00f1o 32 en la direcci\u00f3n ffffffff88c402c0 por la tarea cryptomgr_test/2340\n\n\t[  138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test No contaminado 6.2.0-rc1+ #45\n\t[  138.150659] Nombre del hardware: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n\t[  138.150663] Traza de llamada:\n\t[  138.150668] \n\t[  138.150922] kasan_check_range+0x13a/0x1c0\n\t[  138.150931] memcpy+0x1f/0x60\n\t[  138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[  138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n\t[  138.151073] crypto_skcipher_setkey+0x82/0x160\n\t[  138.151085] ? prepare_keybuf+0xa2/0xd0\n\t[  138.151095] test_skcipher_vec_cfg+0x2b8/0x800"
    }
  ],
  "id": "CVE-2023-54325",
  "lastModified": "2026-06-17T06:47:13.820",
  "metrics": {},
  "published": "2025-12-30T13:16:21.840",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.