CVE-2023-54057

Vulnerability

Overview

In the Linux kernel, the AMD IOMMU driver's parse_ivrs_acpihid function contains a buffer overflow vulnerability in the handling of the ivrs_acpihid command-line parameter. The acpiid buffer can overflow because the sscanf() format string used to parse the parameter lacks a width limitation on the string specifier [1][2].

Exploitation

This vulnerability is triggered during kernel boot when the system parses the ivrs_acpihid command-line parameter. An attacker with the ability to control or influence kernel command-line arguments (e.g., via a compromised bootloader or through certain hypervisor configurations) could supply an overly long string for the ACPI HID component, causing a buffer overflow in the kernel stack.

Impact

A successful overflow could corrupt kernel memory, potentially leading to a denial of service (system crash) or, in more severe scenarios, arbitrary code execution at the kernel level. The vulnerability was discovered by InfoTeCS on behalf of the Linux Verification Center using the SVACE static analysis tool [1][2].

Mitigation

The fix has been applied to the Linux kernel stable tree. Users should update to a kernel version containing the commit that adds a length limitation to the sscanf() format string for the ivrs_acpihid parameter [1][2]. No workaround is available other than applying the patch.