github - ghsa-r3pm-w3wq-c59c

GHSA-R3PM-W3WQ-C59C

Vulnerability from github – Published: 2025-12-30 15:30 – Updated: 2025-12-30 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

keys: Fix linking a duplicate key to a keyring's assoc_array

When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash.

Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40

The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-54170"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:04Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix linking a duplicate key to a keyring\u0027s assoc_array\n\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\n\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff \u003c0f\u003e 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS:  0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741]  ? key_alloc+0x447/0x4b0\n[2158499.700768]  ? __key_link_begin+0x43/0xa0\n[2158499.700790]  __key_link_begin+0x43/0xa0\n[2158499.700814]  request_key_and_link+0x2c7/0x730\n[2158499.700847]  ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873]  ? key_default_cmp+0x20/0x20\n[2158499.700898]  request_key_tag+0x43/0xa0\n[2158499.700926]  dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127]  dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164]  ? scnprintf+0x49/0x90\n[2158499.701190]  ? __switch_to_asm+0x40/0x70\n[2158499.701211]  ? __switch_to_asm+0x34/0x70\n[2158499.701405]  reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603]  cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632]  process_one_work+0x1f8/0x3e0\n[2158499.701658]  worker_thread+0x2d/0x3f0\n[2158499.701682]  ? process_one_work+0x3e0/0x3e0\n[2158499.701703]  kthread+0x10d/0x130\n[2158499.701723]  ? kthread_park+0xb0/0xb0\n[2158499.701746]  ret_from_fork+0x1f/0x40\n\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\n  example, \"abcdef\". The function registers its global DNS resolver\n  cache as current-\u003ecred.thread_keyring and passes the query to\n  request_key_net() -\u003e request_key_tag() -\u003e request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\n  object. Its match_data.cmp method gets set via a call to\n  type-\u003ematch_preparse() (resolves to dns_resolver_match_preparse()) to\n  dns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\n  search_process_keyrings_rcu() which returns that a given key was not\n  found. The control is then passed to request_key_and_link() -\u003e\n  construct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n  \"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n  __key_link_begin() to determine an assoc_array_edit operation to\n  insert a new key. Index keys in the array are compared exactly as-is,\n  using keyring_compare_object(). The operation \n---truncated---",
  "id": "GHSA-r3pm-w3wq-c59c",
  "modified": "2025-12-30T15:30:30Z",
  "published": "2025-12-30T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54170"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2023-54170 (GCVE-0-2023-54170)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

keys: Fix linking a duplicate key to a keyring's assoc_array

Summary

In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/65bd66a794bfa0593…
	https://git.kernel.org/stable/c/0a6b0ca58685be349…
	https://git.kernel.org/stable/c/9aecfebea24fe6071…
	https://git.kernel.org/stable/c/00edfa6d4fe022942…
	https://git.kernel.org/stable/c/e091bb55af9a93080…
	https://git.kernel.org/stable/c/d55901522f96082a4…

Impacted products

Vendor

Product

Version

Linux

Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 65bd66a794bfa059375ec834885bb610d75c0182 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 0a6b0ca58685be34979236f83f2b322635b80b32 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 9aecfebea24fe6071ace5cc9fd6d690b87276bbb (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 00edfa6d4fe022942e2f2e6f3294ff13ef78b15c (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < e091bb55af9a930801f83df78195a908a76e1479 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < d55901522f96082a43b9842d34867363c0cdbac5 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.253 , ≤ 5.4.* (semver)
Unaffected: 5.10.188 , ≤ 5.10.* (semver)
Unaffected: 5.15.123 , ≤ 5.15.* (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/keys/request_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65bd66a794bfa059375ec834885bb610d75c0182",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "0a6b0ca58685be34979236f83f2b322635b80b32",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "9aecfebea24fe6071ace5cc9fd6d690b87276bbb",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "00edfa6d4fe022942e2f2e6f3294ff13ef78b15c",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "e091bb55af9a930801f83df78195a908a76e1479",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "d55901522f96082a43b9842d34867363c0cdbac5",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/keys/request_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.253",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.188",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.123",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix linking a duplicate key to a keyring\u0027s assoc_array\n\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\n\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff \u003c0f\u003e 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS:  0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741]  ? key_alloc+0x447/0x4b0\n[2158499.700768]  ? __key_link_begin+0x43/0xa0\n[2158499.700790]  __key_link_begin+0x43/0xa0\n[2158499.700814]  request_key_and_link+0x2c7/0x730\n[2158499.700847]  ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873]  ? key_default_cmp+0x20/0x20\n[2158499.700898]  request_key_tag+0x43/0xa0\n[2158499.700926]  dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127]  dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164]  ? scnprintf+0x49/0x90\n[2158499.701190]  ? __switch_to_asm+0x40/0x70\n[2158499.701211]  ? __switch_to_asm+0x34/0x70\n[2158499.701405]  reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603]  cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632]  process_one_work+0x1f8/0x3e0\n[2158499.701658]  worker_thread+0x2d/0x3f0\n[2158499.701682]  ? process_one_work+0x3e0/0x3e0\n[2158499.701703]  kthread+0x10d/0x130\n[2158499.701723]  ? kthread_park+0xb0/0xb0\n[2158499.701746]  ret_from_fork+0x1f/0x40\n\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\n  example, \"abcdef\". The function registers its global DNS resolver\n  cache as current-\u003ecred.thread_keyring and passes the query to\n  request_key_net() -\u003e request_key_tag() -\u003e request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\n  object. Its match_data.cmp method gets set via a call to\n  type-\u003ematch_preparse() (resolves to dns_resolver_match_preparse()) to\n  dns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\n  search_process_keyrings_rcu() which returns that a given key was not\n  found. The control is then passed to request_key_and_link() -\u003e\n  construct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n  \"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n  __key_link_begin() to determine an assoc_array_edit operation to\n  insert a new key. Index keys in the array are compared exactly as-is,\n  using keyring_compare_object(). The operation \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:44.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb"
        },
        {
          "url": "https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479"
        },
        {
          "url": "https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5"
        }
      ],
      "title": "keys: Fix linking a duplicate key to a keyring\u0027s assoc_array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54170",
    "datePublished": "2025-12-30T12:08:44.763Z",
    "dateReserved": "2025-12-30T12:06:44.496Z",
    "dateUpdated": "2025-12-30T12:08:44.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-R3PM-W3WQ-C59C

CVE-2023-54170 (GCVE-0-2023-54170)

Tags

Sightings

Nomenclature