CVE-2023-53746

Vulnerability

Description

In the Linux kernel's s390/vfio-ap device driver, a memory leak exists in the device release callback function. The callback attempts to retrieve the vfio_matrix_dev object using dev_get_drvdata(device *dev), but this object is never stored as driver data for the device. Consequently, dev_get_drvdata returns NULL, and the subsequent kfree(NULL) is a no-op, leaving the allocated memory for the vfio_matrix_dev object unfreed [1][2].

Exploitation

Context

The bug is triggered during the normal lifecycle of the matrix device, specifically when the device is released (e.g., during module unload or device removal). No special privileges or network access are required; the vulnerability manifests in standard system operations involving the vfio-ap driver on s390 systems. An attacker with local access could potentially accelerate the leak by repeatedly triggering device creation and removal, but the primary risk is from routine administrative actions.

Impact

The memory leak gradually consumes kernel memory, potentially leading to resource exhaustion and system instability. Over time, this can degrade performance or cause a denial-of-service condition, especially on systems with limited memory or those that frequently cycle the vfio-ap device.

Mitigation

The fix replaces the incorrect dev_get_drvdata call with the container_of macro, which correctly derives the vfio_matrix_dev pointer from the embedded device structure. The patch has been applied to the Linux kernel stable branches as referenced in commits [1] and [2]. Users should update to a kernel version containing these commits to resolve the vulnerability.