{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53169", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T13:59:19.063Z", "datePublished": "2025-09-15T14:04:02.395Z", "dateUpdated": "2025-09-15T14:04:02.395Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:04:02.395Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/resctrl: Clear staged_config[] before and after it is used\n\nAs a temporary storage, staged_config[] in rdt_domain should be cleared\nbefore and after it is used. The stale value in staged_config[] could\ncause an MSR access error.\n\nHere is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3\nCache (MBA should be disabled if the number of CLOSIDs for MB is less than\n16.) :\n\tmount -t resctrl resctrl -o cdp /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..7}\n\tumount /sys/fs/resctrl/\n\tmount -t resctrl resctrl /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..8}\n\nAn error occurs when creating resource group named p8:\n unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60)\n Call Trace:\n <IRQ>\n __flush_smp_call_function_queue+0x11d/0x170\n __sysvec_call_function+0x24/0xd0\n sysvec_call_function+0x89/0xc0\n </IRQ>\n <TASK>\n asm_sysvec_call_function+0x16/0x20\n\nWhen creating a new resource control group, hardware will be configured\nby the following process:\n rdtgroup_mkdir()\n rdtgroup_mkdir_ctrl_mon()\n rdtgroup_init_alloc()\n resctrl_arch_update_domains()\n\nresctrl_arch_update_domains() iterates and updates all resctrl_conf_type\nwhose have_new_ctrl is true. Since staged_config[] holds the same values as\nwhen CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA\nconfigurations. When group p8 is created, get_config_index() called in\nresctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for\nCDP_CODE and CDP_DATA, which will be translated to an invalid register -\n0xca0 in this scenario.\n\nFix it by clearing staged_config[] before and after it is used.\n\n[reinette: re-order commit tags]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/cpu/resctrl/ctrlmondata.c", "arch/x86/kernel/cpu/resctrl/internal.h", "arch/x86/kernel/cpu/resctrl/rdtgroup.c"], "versions": [{"version": "75408e43509ed6207870c0e7e28656acbbc1f7fd", "lessThan": "86db319d25db70cf4af4557e05f6fa6f39c70003", "status": "affected", "versionType": "git"}, {"version": "75408e43509ed6207870c0e7e28656acbbc1f7fd", "lessThan": "3fc5941ecc31a495b6b84b465f36155009db99b5", "status": "affected", "versionType": "git"}, {"version": "75408e43509ed6207870c0e7e28656acbbc1f7fd", "lessThan": "8ecc60ef9318f0d533b866fa421858cc185bccfc", "status": "affected", "versionType": "git"}, {"version": "75408e43509ed6207870c0e7e28656acbbc1f7fd", "lessThan": "0424a7dfe9129b93f29b277511a60e87f052ac6b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/cpu/resctrl/ctrlmondata.c", "arch/x86/kernel/cpu/resctrl/internal.h", "arch/x86/kernel/cpu/resctrl/rdtgroup.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.104", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.21", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.8", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.104"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.1.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.2.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/86db319d25db70cf4af4557e05f6fa6f39c70003"}, {"url": "https://git.kernel.org/stable/c/3fc5941ecc31a495b6b84b465f36155009db99b5"}, {"url": "https://git.kernel.org/stable/c/8ecc60ef9318f0d533b866fa421858cc185bccfc"}, {"url": "https://git.kernel.org/stable/c/0424a7dfe9129b93f29b277511a60e87f052ac6b"}], "title": "x86/resctrl: Clear staged_config[] before and after it is used", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/resctrl: Clear staged_config[] before and after it is used\n\nAs a temporary storage, staged_config[] in rdt_domain should be cleared\nbefore and after it is used. The stale value in staged_config[] could\ncause an MSR access error.\n\nHere is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3\nCache (MBA should be disabled if the number of CLOSIDs for MB is less than\n16.) :\n\tmount -t resctrl resctrl -o cdp /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..7}\n\tumount /sys/fs/resctrl/\n\tmount -t resctrl resctrl /sys/fs/resctrl\n\tmkdir /sys/fs/resctrl/p{1..8}\n\nAn error occurs when creating resource group named p8:\n unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60)\n Call Trace:\n <IRQ>\n __flush_smp_call_function_queue+0x11d/0x170\n __sysvec_call_function+0x24/0xd0\n sysvec_call_function+0x89/0xc0\n </IRQ>\n <TASK>\n asm_sysvec_call_function+0x16/0x20\n\nWhen creating a new resource control group, hardware will be configured\nby the following process:\n rdtgroup_mkdir()\n rdtgroup_mkdir_ctrl_mon()\n rdtgroup_init_alloc()\n resctrl_arch_update_domains()\n\nresctrl_arch_update_domains() iterates and updates all resctrl_conf_type\nwhose have_new_ctrl is true. Since staged_config[] holds the same values as\nwhen CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA\nconfigurations. When group p8 is created, get_config_index() called in\nresctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for\nCDP_CODE and CDP_DATA, which will be translated to an invalid register -\n0xca0 in this scenario.\n\nFix it by clearing staged_config[] before and after it is used.\n\n[reinette: re-order commit tags]"}], "id": "CVE-2023-53169", "lastModified": "2025-09-15T15:22:27.090", "metrics": {}, "published": "2025-09-15T14:15:38.693", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0424a7dfe9129b93f29b277511a60e87f052ac6b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3fc5941ecc31a495b6b84b465f36155009db99b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/86db319d25db70cf4af4557e05f6fa6f39c70003"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8ecc60ef9318f0d533b866fa421858cc185bccfc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}