CVE-2023-53236 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943
https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not corrupt the pfn list when doing batch carry If batch->end is 0 then setting npfns[0] before computing the new value of pfns will fail to adjust the pfn and result in various page accounting corruptions. It should be ordered after. This seems to result in various kinds of page meta-data corruption related failures: WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740 Modules linked in: CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:try_grab_folio+0x503/0x740 Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89 RSP: 0018:ffffc90000f37908 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26 RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002 RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008 R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540 R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540 FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> internal_get_user_pages_fast+0xd32/0x2200 pin_user_pages_fast+0x65/0x90 pfn_reader_user_pin+0x376/0x390 pfn_reader_next+0x14a/0x7b0 pfn_reader_first+0x140/0x1b0 iopt_area_fill_domain+0x74/0x210 iopt_table_add_domain+0x30e/0x6e0 iommufd_device_selftest_attach+0x7f/0x140 iommufd_test+0x10ff/0x16f0 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc
Title		iommufd: Do not corrupt the pfn list when doing batch carry
References		https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943 https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53236", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-15T14:19:21.847Z", "datePublished": "2025-09-15T14:22:09.250Z", "dateUpdated": "2025-09-15T14:22:09.250Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-15T14:22:09.250Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not corrupt the pfn list when doing batch carry\n\nIf batch->end is 0 then setting npfns[0] before computing the new value of\npfns will fail to adjust the pfn and result in various page accounting\ncorruptions. It should be ordered after.\n\nThis seems to result in various kinds of page meta-data corruption related\nfailures:\n\n WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740\n Modules linked in:\n CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:try_grab_folio+0x503/0x740\n Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89\n RSP: 0018:ffffc90000f37908 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26\n RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002\n RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008\n R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540\n R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540\n FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n <TASK>\n internal_get_user_pages_fast+0xd32/0x2200\n pin_user_pages_fast+0x65/0x90\n pfn_reader_user_pin+0x376/0x390\n pfn_reader_next+0x14a/0x7b0\n pfn_reader_first+0x140/0x1b0\n iopt_area_fill_domain+0x74/0x210\n iopt_table_add_domain+0x30e/0x6e0\n iommufd_device_selftest_attach+0x7f/0x140\n iommufd_test+0x10ff/0x16f0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommufd/pages.c"], "versions": [{"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e", "lessThan": "6ed5784526ddc0fb58b1798af36ec0c3139a8dca", "status": "affected", "versionType": "git"}, {"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e", "lessThan": "13a0d1ae7ee6b438f5537711a8c60cba00554943", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/iommu/iommufd/pages.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.11", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca"}, {"url": "https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943"}], "title": "iommufd: Do not corrupt the pfn list when doing batch carry", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Do not corrupt the pfn list when doing batch carry\n\nIf batch->end is 0 then setting npfns[0] before computing the new value of\npfns will fail to adjust the pfn and result in various page accounting\ncorruptions. It should be ordered after.\n\nThis seems to result in various kinds of page meta-data corruption related\nfailures:\n\n WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740\n Modules linked in:\n CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:try_grab_folio+0x503/0x740\n Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89\n RSP: 0018:ffffc90000f37908 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26\n RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002\n RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008\n R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540\n R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540\n FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n <TASK>\n internal_get_user_pages_fast+0xd32/0x2200\n pin_user_pages_fast+0x65/0x90\n pfn_reader_user_pin+0x376/0x390\n pfn_reader_next+0x14a/0x7b0\n pfn_reader_first+0x140/0x1b0\n iopt_area_fill_domain+0x74/0x210\n iopt_table_add_domain+0x30e/0x6e0\n iommufd_device_selftest_attach+0x7f/0x140\n iommufd_test+0x10ff/0x16f0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "id": "CVE-2023-53236", "lastModified": "2025-09-15T15:22:27.090", "metrics": {}, "published": "2025-09-15T15:15:50.660", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13a0d1ae7ee6b438f5537711a8c60cba00554943"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ed5784526ddc0fb58b1798af36ec0c3139a8dca"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object