{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52455", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.294Z", "datePublished": "2024-02-23T14:46:18.495Z", "dateUpdated": "2024-09-11T17:33:49.752Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:12:10.601Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/of_iommu.c"], "versions": [{"version": "a5bf3cfce8cb", "lessThan": "98b8a550da83", "status": "affected", "versionType": "git"}, {"version": "a5bf3cfce8cb", "lessThan": "5e23e283910c", "status": "affected", "versionType": "git"}, {"version": "a5bf3cfce8cb", "lessThan": "bb57f6705960", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/of_iommu.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.14", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7.2", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad"}, {"url": "https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf"}, {"url": "https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1"}], "title": "iommu: Don't reserve 0-length IOVA region", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.635Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:02:39.988969Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:49.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:19.635Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:02:39.988969Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.993Z"}}], "cna": {"title": "iommu: Don't reserve 0-length IOVA region", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "a5bf3cfce8cb", "lessThan": "98b8a550da83", "versionType": "git"}, {"status": "affected", "version": "a5bf3cfce8cb", "lessThan": "5e23e283910c", "versionType": "git"}, {"status": "affected", "version": "a5bf3cfce8cb", "lessThan": "bb57f6705960", "versionType": "git"}], "programFiles": ["drivers/iommu/of_iommu.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.3"}, {"status": "unaffected", "version": "0", "lessThan": "6.3", "versionType": "custom"}, {"status": "unaffected", "version": "6.6.14", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.2", "versionType": "custom", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/iommu/of_iommu.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad"}, {"url": "https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf"}, {"url": "https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:12:10.601Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52455", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:33:49.752Z", "dateReserved": "2024-02-20T12:30:33.294Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-23T14:46:18.495Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "723F5211-5C37-4F95-A4D3-FA6C2E6F914C", "versionEndExcluding": "6.6.14", "versionStartIncluding": "6.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EA3778C-730B-464C-8023-18CA6AC0B807", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Don't reserve 0-length IOVA region\n\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu: no reservar regi\u00f3n IOVA de longitud 0 Cuando el gestor de arranque/firmware no configura los framebuffers, su direcci\u00f3n y tama\u00f1o son 0 en la propiedad \"iommu-addresses\". Si la regi\u00f3n IOVA est\u00e1 reservada con una longitud de 0, termina corrompiendo el rbtree de IOVA con una entrada que tiene pfn_hi &lt; pfn_lo. Si pretendemos utilizar el controlador de pantalla en el kernel sin framebuffer, entonces las asignaciones IOMMU de pantalla fallar\u00e1n ya que se reserva todo el espacio IOVA v\u00e1lido cuando la direcci\u00f3n y la longitud se pasan como 0. Una soluci\u00f3n ideal ser\u00eda que el firmware elimine la propiedad \"iommu-addresses\". y la \"regi\u00f3n de memoria\" correspondiente si la pantalla no est\u00e1 presente. Pero el kernel deber\u00eda poder manejar esto verificando el tama\u00f1o de la regi\u00f3n IOVA y omitiendo la reserva de IOVA si el tama\u00f1o es 0. Adem\u00e1s, agregue una advertencia si el firmware solicita una reserva de regi\u00f3n IOVA de longitud 0."}], "id": "CVE-2023-52455", "lastModified": "2024-04-30T19:34:34.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-23T15:15:08.193", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: iommu: Don't reserve 0-length IOVA region", "id": "2265793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265793"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\niommu: Don't reserve 0-length IOVA region\nWhen the bootloader/firmware doesn't setup the framebuffers, their\naddress and size are 0 in \"iommu-addresses\" property. If IOVA region is\nreserved with 0 length, then it ends up corrupting the IOVA rbtree with\nan entry which has pfn_hi < pfn_lo.\nIf we intend to use display driver in kernel without framebuffer then\nit's causing the display IOMMU mappings to fail as entire valid IOVA\nspace is reserved when address and length are passed as 0.\nAn ideal solution would be firmware removing the \"iommu-addresses\"\nproperty and corresponding \"memory-region\" if display is not present.\nBut the kernel should be able to handle this by checking for size of\nIOVA region and skipping the IOVA reservation if size is 0. Also, add\na warning if firmware is requesting 0-length IOVA region reservation.", "A flaw was found in the Linux kernel. When the bootloader/firmware does not set up the framebuffers, the address and size are 0 in the \"iommu-addresses\" property. If the IOVA region is reserved with a 0 length, it corrupts the IOVA rbtree with an entry that has pfn_hi < pfn_lo. If the intent is to use the display driver in the kernel without the framebuffer, it causes the display IOMMU mappings to fail, as an entire valid IOVA space is reserved when the address and length are passed as 0. An ideal solution would be for the firmware to remove the \"iommu-addresses\" property and the corresponding \"memory-region\" if the display is not present. The kernel should be able to handle this by checking the size of the IOVA region and skipping the IOVA reservation if its size is 0. Also, add a warning if the firmware is requesting a 0-length IOVA region reservation."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available for this vulnerability. Make sure to perform the updates as they become available."}, "name": "CVE-2023-52455", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52455\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52455\nhttps://lore.kernel.org/linux-cve-announce/2024022331-CVE-2023-52455-a28f@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 6.8-rc1"}