CVE-2023-54007
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/12/2025
Last modified:
29/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
vmci_host: fix a race condition in vmci_host_poll() causing GPF<br />
<br />
During fuzzing, a general protection fault is observed in<br />
vmci_host_poll().<br />
<br />
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN<br />
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]<br />
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926<br />
<br />
Call Trace:<br />
<br />
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672<br />
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br />
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162<br />
add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22<br />
poll_wait include/linux/poll.h:49 [inline]<br />
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174<br />
vfs_poll include/linux/poll.h:88 [inline]<br />
do_pollfd fs/select.c:873 [inline]<br />
do_poll fs/select.c:921 [inline]<br />
do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015<br />
__do_sys_ppoll fs/select.c:1121 [inline]<br />
__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Example thread interleaving that causes the general protection fault<br />
is as follows:<br />
<br />
CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)<br />
----- -----<br />
// Read uninitialized context<br />
context = vmci_host_dev->context;<br />
// Initialize context<br />
vmci_host_dev->context = vmci_ctx_create();<br />
vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;<br />
<br />
if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {<br />
// Dereferencing the wrong pointer<br />
poll_wait(..., &context->host_context);<br />
}<br />
<br />
In this scenario, vmci_host_poll() reads vmci_host_dev->context first,<br />
and then reads vmci_host_dev->ct_type to check that<br />
vmci_host_dev->context is initialized. However, since these two reads<br />
are not atomically executed, there is a chance of a race condition as<br />
described above.<br />
<br />
To fix this race condition, read vmci_host_dev->context after checking<br />
the value of vmci_host_dev->ct_type so that vmci_host_poll() always<br />
reads an initialized context.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3
- https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92
- https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c
- https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b
- https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448
- https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7
- https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc
- https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9