CVE-2023-54137

Vulnerability

CVE-2023-54137 is an information leak vulnerability in the Linux kernel's VFIO/type1 subsystem. The root cause is that the local variable cap_mig of type struct vfio_iommu_type1_info_cap_migration is declared on the stack and only some of its members are explicitly initialized before the entire structure is copied to userspace. The structure contains a 4-byte hole between the flags and pgsize_bitmap fields, as shown by pahole. This uninitialized hole can contain leftover kernel stack data, which is then exposed to userspace when the structure is copied via memcpy in vfio_info_add_capability and ultimately returned by the VFIO_IOMMU_GET_INFO ioctl [1][2].

Exploitation

An attacker must have access to a VFIO device and be able to issue the VFIO_IOMMU_GET_INFO ioctl. No special privileges beyond the ability to interact with VFIO are required. The leak occurs during normal operation of the VFIO migration capability query, so no unusual conditions are needed. The uninitialized hole is present in the stack frame of vfio_iommu_migration_build_caps, and the data leaked depends on what was previously stored in that stack location.

Impact

A local attacker can obtain 4 bytes of uninitialized kernel stack memory. This may contain sensitive information such as pointers, cryptographic keys, process credentials, or other kernel data. This information leak could be used to bypass KASLR or to gather intelligence for further exploitation. The vulnerability is considered moderate severity because it requires local access and VFIO device access, but it can lead to the disclosure of kernel memory contents.

Mitigation

The fix was applied in the Linux kernel stable tree. The commit initializes the entire cap_mig structure with memset or by zeroing the hole explicitly before use. Users should update to update their kernel to a version containing the fix. No workaround is available other than restricting access to VFIO devices or applying the kernel patch.