Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2023-53630

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
07/10/2025
Última modificación:
08/10/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Fix unpinning of pages when an access is present<br /> <br /> syzkaller found that the calculation of batch_last_index should use<br /> &amp;#39;start_index&amp;#39; since at input to this function the batch is either empty or<br /> it has already been adjusted to cross any accesses so it will start at the<br /> point we are unmapping from.<br /> <br /> Getting this wrong causes the unmap to run over the end of the pages<br /> which corrupts pages that were never mapped. In most cases this triggers<br /> the num pinned debugging:<br /> <br /> WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560<br /> Modules linked in:<br /> CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:__iopt_area_unfill_domain+0x152/0x560<br /> Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54<br /> RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85<br /> RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002<br /> RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014<br /> R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004<br /> R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800<br /> FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> iopt_area_unfill_domain+0x32/0x40<br /> iopt_table_remove_domain+0x23f/0x4c0<br /> iommufd_device_selftest_detach+0x3a/0x90<br /> iommufd_selftest_destroy+0x55/0x70<br /> iommufd_object_destroy_user+0xce/0x130<br /> iommufd_destroy+0xa2/0xc0<br /> iommufd_fops_ioctl+0x206/0x330<br /> __x64_sys_ioctl+0x10e/0x160<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> Also add some useful WARN_ON sanity checks.

Impacto

Referencias a soluciones, herramientas e información