CVE-2023-54239
Description
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Check for uptr overflow
syzkaller found that setting up a map with a user VA that wraps past zero can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0 due to invalid arguments.
Prevent creating a pages with a uptr and size that would math overflow.
WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390 Modules linked in: CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:pfn_reader_user_pin+0x2e6/0x390 Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00 RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72 RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002 RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60 R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000 FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace:
pfn_reader_next+0x14a/0x7b0 ? interval_tree_double_span_iter_update+0x11a/0x140 pfn_reader_first+0x140/0x1b0 iopt_pages_rw_slow+0x71/0x280 ? __this_cpu_preempt_check+0x20/0x30 iopt_pages_rw_access+0x2b2/0x5b0 iommufd_access_rw+0x19f/0x2f0 iommufd_test+0xd11/0x16f0 ? write_comp_data+0x2f/0x90 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 ? __pfx_iommufd_fops_ioctl+0x10/0x10 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing overflow check in iommufd allows a user VA wrap to trigger WARN_ONs and potential denial of service.
Vulnerability
Overview
In the Linux kernel's iommufd subsystem, a missing integer overflow check when handling user virtual addresses (uptr) and size parameters can lead to a mathematical wrap-around. This flaw was discovered by syzkaller and manifests as a WARN_ON triggered in pfn_reader_user_pin when pin_user_pages returns zero due to invalid arguments [1].
Exploitation
Conditions
The vulnerability is exploitable by a local user with access to the iommufd interface, typically through the /dev/iommu device. By crafting an IOMMUFD_CMD_MAP ioctl with a user VA that wraps past zero (i.e., a very large address that overflows when combined with the requested size), an attacker can cause the kernel can cause the internal calculations to overflow. This results in pin_user_pages receiving invalid parameters, leading to the WARN_ON and potentially a kernel panic [1].
Impact
An attacker who successfully triggers this bug can cause a denial of service (system crash) due to the WARN_ON splat and subsequent unstable state. The issue does not appear to allow privilege escalation or arbitrary code execution, but it can be used to reliably crash the system from an unprivileged user context [1].
Mitigation
The fix was committed to the Linux kernel stable tree in commit e4395701330f. The patch adds a check to prevent creating pages with a uptr and size that would cause mathematical overflow. Users should update to a kernel version containing this fix or apply the patch manually [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
2800963e7eb00e4395701330fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.