CVE-2023-54034

Vulnerability

In the Linux kernel's iommufd subsystem, the function handling vfio_iommu_iommu_type1_info (likely vfio_iommu_type1_info) fails to zero-initialize the entire structure before copying it to userspace. The structure is partially filled via copy_from_user(), but the minimum size (minsz`) used for that copy is 8 bytes smaller than the actual struct size. This leaves the padding bytes uninitialized, potentially leaking kernel stack memory [1].

Exploitation

An attacker with access to the iommufd (i.e., able to open /dev/iommu and issue the relevant IOCTL) can trigger this info leak. No special privileges beyond user-level access to the iommufd device are required. The attack surface is local, as the device is only accessible from within the system [1].

Impact

By reading the leaked 8 bytes of kernel stack data, an attacker may obtain sensitive information such as kernel pointers or other data that could aid in bypassing KASLR or crafting further exploits. The leak is limited to 8 bytes per call, but repeated calls could accumulate more data [1].

Mitigation

The fix was committed to the Linux kernel stable tree in commit b3551ead6163, which adds a memset() to zero the entire structure before use. Users should apply the latest stable kernel updates to remediate this issue [1].