{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: iommufd: Check for uptr overflow",
    "id" : "2426062",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426062"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-119",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niommufd: Check for uptr overflow\nsyzkaller found that setting up a map with a user VA that wraps past zero\ncan trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0\ndue to invalid arguments.\nPrevent creating a pages with a uptr and size that would math overflow.\nWARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390\nModules linked in:\nCPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:pfn_reader_user_pin+0x2e6/0x390\nCode: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00\nRSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72\nRDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002\nRBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e\nR10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60\nR13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000\nFS:  00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\npfn_reader_next+0x14a/0x7b0\n? interval_tree_double_span_iter_update+0x11a/0x140\npfn_reader_first+0x140/0x1b0\niopt_pages_rw_slow+0x71/0x280\n? __this_cpu_preempt_check+0x20/0x30\niopt_pages_rw_access+0x2b2/0x5b0\niommufd_access_rw+0x19f/0x2f0\niommufd_test+0xd11/0x16f0\n? write_comp_data+0x2f/0x90\niommufd_fops_ioctl+0x206/0x330\n__x64_sys_ioctl+0x10e/0x160\n? __pfx_iommufd_fops_ioctl+0x10/0x10\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x72/0xdc", "A flaw was found in the iommufd subsystem of the Linux kernel. When setting up a mapping with a user virtual address that wraps past zero or otherwise triggers a pointer/size overflow, the kernel may fail to properly validate and constrain the user-provided values. This can result in a buffer overflow or memory corruption in the iopt_alloc_pages() and related routines when handling the user mapping." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54239\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54239\nhttps://lore.kernel.org/linux-cve-announce/2025123033-CVE-2023-54239-07d2@gregkh/T" ],
  "name" : "CVE-2023-54239",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}