CVE-2023-54095

Bug

Description In the Linux kernel's powerpc architecture, the fail_iommu_setup() function registers the same notifier_block struct (fail_iommu_bus_notifier) for both PCI and VIO buses. Since struct notifier_block is a linked list node, this sharing means that any notifier later registered for either bus type inadvertently gets added to the other bus's notifier chain. This corrupts the linked list structure and leads to a slab-out-of-bounds read when the VGA arbiter's PCI notifier is called on a VIO device [1].

Exploitation

Conditions The bug is triggered during early boot when the kernel enumerates devices on the VIO bus. The VGA arbiter subsystem registers a PCI bus notifier via pci_notify(). Because the shared notifier node causes cross-contamination, pci_notify() ends up being invoked for a VIO device. The function then calls to_pci_dev() on the non-PCI device, converting the pointer incorrectly, and subsequently performs an out-of-bounds memory access in vga_arbiter_add_pci_device(). No special privileges or attacker interaction are required; it occurs automatically during normal boot on affected powerpc systems.

Impact

An out-of-bounds read of size 4 from a slab object can cause a kernel panic (oops) during boot, preventing the system from starting. The KASAN report shows the read at offset 0xc000000264c26fdc in the VGA arbiter path. This constitutes a denial-of-service vulnerability affecting system availability. No evidence of privilege escalation or data corruption beyond the immediate crash has been provided.

Mitigation

The Linux kernel upstream has applied multiple stable branch patches to fix the issue. The remedy is to allocate separate notifier_block structs for each bus type, preventing the linked list corruption [2][3][4]. Affected users should update their kernel to a version containing the fix. No workaround is available; the bug is entirely in the boot-time initialization path.