GHSA-J5XC-FJVV-7RJX

Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2025-12-24 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

vmci_host: fix a race condition in vmci_host_poll() causing GPF

During fuzzing, a general protection fault is observed in vmci_host_poll().

general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926 <- omitting registers -> Call Trace: lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162 add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22 poll_wait include/linux/poll.h:49 [inline] vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174 vfs_poll include/linux/poll.h:88 [inline] do_pollfd fs/select.c:873 [inline] do_poll fs/select.c:921 [inline] do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015 __do_sys_ppoll fs/select.c:1121 [inline] __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Example thread interleaving that causes the general protection fault is as follows:

CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context) ----- ----- // Read uninitialized context context = vmci_host_dev->context; // Initialize context vmci_host_dev->context = vmci_ctx_create(); vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;

if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) { // Dereferencing the wrong pointer poll_wait(..., &context->host_context); }

In this scenario, vmci_host_poll() reads vmci_host_dev->context first, and then reads vmci_host_dev->ct_type to check that vmci_host_dev->context is initialized. However, since these two reads are not atomically executed, there is a chance of a race condition as described above.

To fix this race condition, read vmci_host_dev->context after checking the value of vmci_host_dev->ct_type so that vmci_host_poll() always reads an initialized context.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54007"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T11:15:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n\u003c- omitting registers -\u003e\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll)               CPU2 (vmci_host_do_init_context)\n-----                               -----\n// Read uninitialized context\ncontext = vmci_host_dev-\u003econtext;\n                                    // Initialize context\n                                    vmci_host_dev-\u003econtext = vmci_ctx_create();\n                                    vmci_host_dev-\u003ect_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev-\u003ect_type == VMCIOBJ_CONTEXT) {\n    // Dereferencing the wrong pointer\n    poll_wait(..., \u0026context-\u003ehost_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev-\u003econtext first,\nand then reads vmci_host_dev-\u003ect_type to check that\nvmci_host_dev-\u003econtext is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev-\u003econtext after checking\nthe value of vmci_host_dev-\u003ect_type so that vmci_host_poll() always\nreads an initialized context.",
  "id": "GHSA-j5xc-fjvv-7rjx",
  "modified": "2025-12-24T12:30:27Z",
  "published": "2025-12-24T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54007"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.