CVE-2023-54043

Root

Cause

The vulnerability resides in the Linux kernel's iommufd subsystem. During rework of the code, a leftover hunk caused the same hardware pagetable (hwpt) to be added to the ioas->hwpt_list linked list twice. The hwpt is normally added to this list only during its creation, but the erroneous code path allowed a second addition. This double insertion corrupts the linked list, leading to undefined behavior, including potential use-after-free or memory corruption [1].

Exploitation

Exploitation requires the ability to trigger the specific HWPT attachment path that exercises this bug. The kernel developers note that this path is not covered by the existing test suite because it requires a legitimate struct device with a non-system IOMMU driver (i.e., a bus removed from the IOMMU code). In practice, an attacker would need local access and the ability to create or manipulate IOMMU mappings in a way that triggers the double list add [1].

Impact

An attacker who successfully triggers this bug could corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe cases, privilege escalation if the corruption is leveraged to overwrite sensitive data structures. The exact impact depends on the kernel configuration and the state of the linked list at the time of corruption.

Mitigation

The fix is included in the Linux kernel stable tree commit referenced in the advisory [1]. Users should apply the latest stable kernel updates from their distribution. No workaround is available; the vulnerability is fixed by removing the erroneous leftover code.