{ "threat_severity" : "Moderate", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/i915/perf: add sentinel to xehp_oa_b_counters", "id" : "2402234", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402234" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/i915/perf: add sentinel to xehp_oa_b_counters\nArrays passed to reg_in_range_table should end with empty record.\nThe patch solves KASAN detected bug with signature:\nBUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\nRead of size 4 at addr ffffffffa1555d90 by task perf/1518\nCPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1\nHardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023\nCall Trace:\n\n...\nxehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\n(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)", "A bounds-checking error was found in the Linux kernel Intel i915 graphics driver's performance monitoring subsystem. A local user with access to Intel GPU performance counters can trigger address validation for observability architecture counters on Xe-HP and newer hardware, causing the driver to read beyond the end of the xehp_oa_b_counters array due to a missing sentinel entry, which results in out-of-bounds memory access and denial of service through kernel crash or undefined behavior." ], "statement" : "The issue arises because the xehp_oa_b_counters register array lacks a terminating sentinel entry (empty record) required by the reg_in_range_table validation function. When userspace interacts with the perf subsystem to configure GPU performance monitoring on affected Intel hardware (Meteor Lake and newer platforms with Xe-HP graphics), the kernel walks the array to validate counter addresses. Without the sentinel, the validation logic reads past the array boundary, accessing arbitrary adjacent kernel memory. KASAN detected a 4-byte out-of-bounds read in xehp_is_valid_b_counter_addr. While this is a memory safety violation, exploitation beyond denial of service is unlikely because the read occurs during validation logic with no direct mechanism to return the out-of-bounds data to userspace. The impact is primarily availability through potential kernel crashes or undefined behavior.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53646\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53646\nhttps://lore.kernel.org/linux-cve-announce/2025100717-CVE-2023-53646-c40e@gregkh/T" ], "name" : "CVE-2023-53646", "mitigation" : { "value" : "To mitigate this issue, prevent the i915 module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.", "lang" : "en:us" }, "csaw" : false }