fkie_cve-2023-53123
Vulnerability from fkie_nvd
Published
2025-05-02 16:15
Modified
2025-05-05 20:54
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: s390: Fix use-after-free of PCI resources with per-function hotplug
On s390 PCI functions may be hotplugged individually even when they
belong to a multi-function device. In particular on an SR-IOV device VFs
may be removed and later re-added.
In commit a50297cf8235 ("s390/pci: separate zbus creation from
scanning") it was missed however that struct pci_bus and struct
zpci_bus's resource list retained a reference to the PCI functions MMIO
resources even though those resources are released and freed on
hot-unplug. These stale resources may subsequently be claimed when the
PCI function re-appears resulting in use-after-free.
One idea of fixing this use-after-free in s390 specific code that was
investigated was to simply keep resources around from the moment a PCI
function first appeared until the whole virtual PCI bus created for
a multi-function device disappears. The problem with this however is
that due to the requirement of artificial MMIO addreesses (address
cookies) extra logic is then needed to keep the address cookies
compatible on re-plug. At the same time the MMIO resources semantically
belong to the PCI function so tying their lifecycle to the function
seems more logical.
Instead a simpler approach is to remove the resources of an individually
hot-unplugged PCI function from the PCI bus's resource list while
keeping the resources of other PCI functions on the PCI bus untouched.
This is done by introducing pci_bus_remove_resource() to remove an
individual resource. Similarly the resource also needs to be removed
from the struct zpci_bus's resource list. It turns out however, that
there is really no need to add the MMIO resources to the struct
zpci_bus's resource list at all and instead we can simply use the
zpci_bar_struct's resource pointer directly.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: s390: Fix use-after-free of PCI resources with per-function hotplug\n\nOn s390 PCI functions may be hotplugged individually even when they\nbelong to a multi-function device. In particular on an SR-IOV device VFs\nmay be removed and later re-added.\n\nIn commit a50297cf8235 (\"s390/pci: separate zbus creation from\nscanning\") it was missed however that struct pci_bus and struct\nzpci_bus\u0027s resource list retained a reference to the PCI functions MMIO\nresources even though those resources are released and freed on\nhot-unplug. These stale resources may subsequently be claimed when the\nPCI function re-appears resulting in use-after-free.\n\nOne idea of fixing this use-after-free in s390 specific code that was\ninvestigated was to simply keep resources around from the moment a PCI\nfunction first appeared until the whole virtual PCI bus created for\na multi-function device disappears. The problem with this however is\nthat due to the requirement of artificial MMIO addreesses (address\ncookies) extra logic is then needed to keep the address cookies\ncompatible on re-plug. At the same time the MMIO resources semantically\nbelong to the PCI function so tying their lifecycle to the function\nseems more logical.\n\nInstead a simpler approach is to remove the resources of an individually\nhot-unplugged PCI function from the PCI bus\u0027s resource list while\nkeeping the resources of other PCI functions on the PCI bus untouched.\n\nThis is done by introducing pci_bus_remove_resource() to remove an\nindividual resource. Similarly the resource also needs to be removed\nfrom the struct zpci_bus\u0027s resource list. It turns out however, that\nthere is really no need to add the MMIO resources to the struct\nzpci_bus\u0027s resource list at all and instead we can simply use the\nzpci_bar_struct\u0027s resource pointer directly."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: s390: Se corrige el problema de use-after-free de recursos PCI con la conexi\u00f3n en caliente por funci\u00f3n. En s390, las funciones PCI pueden conectarse en caliente individualmente, incluso si pertenecen a un dispositivo multifunci\u00f3n. En particular, en un dispositivo SR-IOV, las funciones virtuales (VF) pueden eliminarse y volver a a\u00f1adirse posteriormente. Sin embargo, en el commit a50297cf8235 (\"s390/pci: separar la creaci\u00f3n de zbus del escaneo\") se omiti\u00f3 que la lista de recursos de struct pci_bus y struct zpci_bus conservaba una referencia a los recursos MMIO de las funciones PCI, incluso si estos recursos se liberan al desconectar en caliente. Estos recursos obsoletos pueden reclamarse posteriormente cuando la funci\u00f3n PCI reaparece, lo que resulta en un problema de use-after-free. Una idea para corregir este problema de use-after-free en el c\u00f3digo espec\u00edfico de s390 que se investig\u00f3 fue simplemente mantener los recursos desde el momento en que aparece una funci\u00f3n PCI hasta que desaparece todo el bus PCI virtual creado para un dispositivo multifunci\u00f3n. El problema con esto, sin embargo, es que debido al requisito de direcciones MMIO artificiales (cookies de direcci\u00f3n), se necesita l\u00f3gica adicional para mantener las cookies de direcci\u00f3n compatibles al volver a conectar. Al mismo tiempo, los recursos MMIO pertenecen sem\u00e1nticamente a la funci\u00f3n PCI, por lo que vincular su ciclo de vida a la funci\u00f3n parece m\u00e1s l\u00f3gico. En cambio, un enfoque m\u00e1s simple es eliminar los recursos de una funci\u00f3n PCI individualmente desconectada en caliente de la lista de recursos del bus PCI, mientras que se mantienen intactos los recursos de otras funciones PCI en el bus PCI. Esto se hace introduciendo pci_bus_remove_resource() para eliminar un recurso individual. De manera similar, el recurso tambi\u00e9n debe eliminarse de la lista de recursos de struct zpci_bus. Sin embargo, resulta que realmente no hay necesidad de agregar los recursos MMIO a la lista de recursos de struct zpci_bus en absoluto y, en su lugar, podemos simplemente usar el puntero de recursos de zpci_bar_struct directamente."
}
],
"id": "CVE-2023-53123",
"lastModified": "2025-05-05T20:54:19.760",
"metrics": {},
"published": "2025-05-02T16:15:31.360",
"references": [
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/437bb839e36cc9f35adc6d2a2bf113b7a0fc9985"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/a2410d0c3d2d714ed968a135dfcbed6aa3ff7027"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/ab909509850b27fd39b8ba99e44cda39dbc3858c"
},
{
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"url": "https://git.kernel.org/stable/c/b99ebf4b62774e690e73a551cf5fbf6f219bdd96"
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…