{ "threat_severity" : "Moderate", "public_date" : "2025-09-18T00:00:00Z", "bugzilla" : { "description" : "kernel: RDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device", "id" : "2396376", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396376" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device\nCurrently, when mlx5_ib_get_hw_stats() is used for device (port_num = 0),\nthere is a special handling in order to use the correct counters, but,\nport_num is being passed down the stack without any change. Also, some\nfunctions assume that port_num >=1. As a result, the following oops can\noccur.\nBUG: unable to handle page fault for address: ffff89510294f1a8\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nOops: 0002 [#1] SMP\nCPU: 8 PID: 1382 Comm: devlink Tainted: G W 6.1.0-rc4_for_upstream_base_2022_11_10_16_12 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:_raw_spin_lock+0xc/0x20\nCall Trace:\n\nmlx5_ib_get_native_port_mdev+0x73/0xe0 [mlx5_ib]\ndo_get_hw_stats.constprop.0+0x109/0x160 [mlx5_ib]\nmlx5_ib_get_hw_stats+0xad/0x180 [mlx5_ib]\nib_setup_device_attrs+0xf0/0x290 [ib_core]\nib_register_device+0x3bb/0x510 [ib_core]\n? atomic_notifier_chain_register+0x67/0x80\n__mlx5_ib_add+0x2b/0x80 [mlx5_ib]\nmlx5r_probe+0xb8/0x150 [mlx5_ib]\n? auxiliary_match_id+0x6a/0x90\nauxiliary_bus_probe+0x3c/0x70\n? driver_sysfs_add+0x6b/0x90\nreally_probe+0xcd/0x380\n__driver_probe_device+0x80/0x170\ndriver_probe_device+0x1e/0x90\n__device_attach_driver+0x7d/0x100\n? driver_allows_async_probing+0x60/0x60\n? driver_allows_async_probing+0x60/0x60\nbus_for_each_drv+0x7b/0xc0\n__device_attach+0xbc/0x200\nbus_probe_device+0x87/0xa0\ndevice_add+0x404/0x940\n? dev_set_name+0x53/0x70\n__auxiliary_device_add+0x43/0x60\nadd_adev+0x99/0xe0 [mlx5_core]\nmlx5_attach_device+0xc8/0x120 [mlx5_core]\nmlx5_load_one_devl_locked+0xb2/0xe0 [mlx5_core]\ndevlink_reload+0x133/0x250\ndevlink_nl_cmd_reload+0x480/0x570\n? devlink_nl_pre_doit+0x44/0x2b0\ngenl_family_rcv_msg_doit.isra.0+0xc2/0x110\ngenl_rcv_msg+0x180/0x2b0\n? devlink_nl_cmd_region_read_dumpit+0x540/0x540\n? devlink_reload+0x250/0x250\n? devlink_put+0x50/0x50\n? genl_family_rcv_msg_doit.isra.0+0x110/0x110\nnetlink_rcv_skb+0x54/0x100\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x1f6/0x2c0\nnetlink_sendmsg+0x237/0x490\nsock_sendmsg+0x33/0x40\n__sys_sendto+0x103/0x160\n? handle_mm_fault+0x10e/0x290\n? do_user_addr_fault+0x1c0/0x5f0\n__x64_sys_sendto+0x25/0x30\ndo_syscall_64+0x3d/0x90\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nFix it by setting port_num to 1 in order to get device status and remove\nunused variable.", "An out-of-bounds write vulnerability exists in the linux kernel, such that when mlx5_ib_get_hw_stats() is used forthe device (port_num = 0),\nThere is a special handling in order to use the correct counters, but,\nport_num is being passed down the stack without any change leading to damage in system availability and integrity." ], "statement" : "A flaw in mlx5_ib_get_hw_stats() allowed port_num=0 (device-level query) to propagate down the stack, where code paths assumed port_num >= 1, leading to a NULL-pointer dereference and kernel oops during stats collection or device registration. The fix normalizes device queries by forcing port_num=1 before accessing per-port data and removes an unused variable. Exploitation requires local, highly privileged access to the RDMA device stack (e.g., devlink/IB admin), and impact is limited to local DoS.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-05-16T00:00:00Z", "advisory" : "RHSA-2023:2951", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-477.10.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23445", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.178.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23463", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.182.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23463", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.182.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22066", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.155.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22087", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.155.1.rt21.227.el9_0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53393\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53393\nhttps://lore.kernel.org/linux-cve-announce/2025091858-CVE-2023-53393-5e45@gregkh/T" ], "name" : "CVE-2023-53393", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }