Home

Description

In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hole, try to pack */ __u64 pgsize_bitmap; /* 16 8 */ __u64 max_dirty_bitmap_size; /* 24 8 */ /* size: 32, cachelines: 1, members: 4 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; /* support minimum pgsize */ cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size - sizeof(*header)); return 0; } This issue was found by code inspection.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before ad83d83dd891244de0d07678b257dc976db7c132
affected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before 13fd667db999bffb557c5de7adb3c14f1713dd51
affected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before f6f300ecc196d243c02adeb9ee0c62c677c24bfb
affected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before cbac29a1caa49a34e131394e1f4d924a76d8b0c9
affected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before 1b5feb8497cdb5b9962db2700814bffbc030fb4a
affected

ad721705d09c62f0d108a6b4f59867ebfd592c90 (git) before cd24e2a60af633f157d7e59c0a6dba64f131c0b1
affected

Default status
affected

5.8
affected

Any version before 5.8
unaffected

5.10.195 (semver)
unaffected

5.15.132 (semver)
unaffected

6.1.53 (semver)
unaffected

6.4.16 (semver)
unaffected

6.5.3 (semver)
unaffected

6.6 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ad83d83dd891244de0d07678b257dc976db7c132

git.kernel.org/...c/13fd667db999bffb557c5de7adb3c14f1713dd51

git.kernel.org/...c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb

git.kernel.org/...c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9

git.kernel.org/...c/1b5feb8497cdb5b9962db2700814bffbc030fb4a

git.kernel.org/...c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1

cve.org (CVE-2023-54137)

nvd.nist.gov (CVE-2023-54137)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.