PT-2023-8721 · Linux+4 · Linux Kernel+4
Published
2023-04-09
·
Updated
2025-09-29
·
CVE-2023-52474
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The Linux kernel has a vulnerability related to the handling of non-PAGE SIZE-end multi-iovec user SDMA requests in the hfi1 driver. This vulnerability can cause data corruption for user SDMA requests with multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec. The specific bugs include:
user sdma txadd()not usingstruct user sdma iovec->iov.iov len, resulting in adding up to PAGE SIZE bytes from iovec to the packet, even if some of those bytes are pastiovec->iov.iov lenand are thus not intended to be in the packet.user sdma txadd()anduser sdma send pkts()failing to advance to the next iovec inuser sdma request->iovswhen the current iovec is not PAGE SIZE and does not contain enough data to complete the packet, resulting in the transmitted packet containing the wrong data from the iovec pages. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu rb handler) that get in the way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE SIZE.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Linux Kernel
Red Os
Suse