{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54137", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T13:02:52.522Z", "datePublished": "2025-12-24T13:06:52.689Z", "dateUpdated": "2025-12-24T13:06:52.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T13:06:52.689Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap->id, cap->version);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/vfio_iommu_type1.c"], "versions": [{"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "ad83d83dd891244de0d07678b257dc976db7c132", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "13fd667db999bffb557c5de7adb3c14f1713dd51", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "f6f300ecc196d243c02adeb9ee0c62c677c24bfb", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "cbac29a1caa49a34e131394e1f4d924a76d8b0c9", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "1b5feb8497cdb5b9962db2700814bffbc030fb4a", "status": "affected", "versionType": "git"}, {"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90", "lessThan": "cd24e2a60af633f157d7e59c0a6dba64f131c0b1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/vfio_iommu_type1.c"], "versions": [{"version": "5.8", "status": "affected"}, {"version": "0", "lessThan": "5.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.195", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.132", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.53", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4.16", "lessThanOrEqual": "6.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.3", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.10.195"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "5.15.132"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.1.53"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.4.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.5.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8", "versionEndExcluding": "6.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132"}, {"url": "https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51"}, {"url": "https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb"}, {"url": "https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9"}, {"url": "https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a"}, {"url": "https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1"}], "title": "vfio/type1: fix cap_migration information leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap->id, cap->version);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection."}], "id": "CVE-2023-54137", "lastModified": "2025-12-29T15:58:13.147", "metrics": {}, "published": "2025-12-24T13:16:15.693", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: vfio/type1: fix cap_migration information leak", "id": "2425187", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2425187"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2023-54137", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-54137\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54137\nhttps://lore.kernel.org/linux-cve-announce/2025122422-CVE-2023-54137-1873@gregkh/T"], "threat_severity": "Low"}

{}