{ "threat_severity" : "Moderate", "public_date" : "2025-12-09T00:00:00Z", "bugzilla" : { "description" : "kernel: iommufd: IOMMUFD_DESTROY should not increase the refcount", "id" : "2420238", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420238" }, "cvss3" : { "cvss3_base_score" : "5.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-421", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niommufd: IOMMUFD_DESTROY should not increase the refcount\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\nobj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY);\nif (IS_ERR(obj))\nreturn PTR_ERR(obj);\niommufd_ref_to_users(obj);\n/* See iommufd_ref_to_users() */\nif (!iommufd_object_destroy_user(ucmd->ictx, obj))\nAs part of the sequence to join the two existing primitives together.\nAllowing the refcount the be elevated without holding the destroy_rwsem\nviolates the assumption that all temporary refcount elevations are\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\niommufd_object_destroy_user() will cause spurious failures:\nWARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\nModules linked in:\nCPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nRIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\nCode: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\nRSP: 0018:ffffc90003067e08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\nRBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\nR10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\nR13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\nFS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\nCall Trace:\n\niommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\niommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\niommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:870 [inline]\n__se_sys_ioctl fs/ioctl.c:856 [inline]\n__x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\nat all. Instead use the xa_lock to serialize everything. The refcount\ncheck == 1 and xa_erase can be done under a single critical region. This\navoids the need for any refcount incrementing.\nIt has the downside that if userspace races destroy with other operations\nit will get an EBUSY instead of waiting, but this is kind of racing is\nalready dangerous.", "A race condition was identified in the iommufd subsystem of the Linux kernel where the IOMMUFD_DESTROY command incorrectly increments an object’s reference count without holding the expected exclusive synchronization (destroy_rwsem). This violates the assumption that temporary reference count elevations are always protected by the relevant lock, potentially leading to use of freed objects or other inconsistent states under concurrent access." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53795\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53795\nhttps://lore.kernel.org/linux-cve-announce/2025120941-CVE-2023-53795-f912@gregkh/T" ], "name" : "CVE-2023-53795", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }