CVE-2023-54325
Description
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - fix out-of-bounds read
When preparing an AER-CTR request, the driver copies the key provided by the user into a data structure that is accessible by the firmware. If the target device is QAT GEN4, the key size is rounded up by 16 since a rounded up size is expected by the device. If the key size is rounded up before the copy, the size used for copying the key might be bigger than the size of the region containing the key, causing an out-of-bounds read.
Fix by doing the copy first and then update the keylen.
This is to fix the following warning reported by KASAN:
[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340
[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45 [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022 [ 138.150663] Call Trace: [ 138.150668] [ 138.150922] kasan_check_range+0x13a/0x1c0 [ 138.150931] memcpy+0x1f/0x60 [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat] [ 138.151073] crypto_skcipher_setkey+0x82/0x160 [ 138.151085] ? prepare_keybuf+0xa2/0xd0 [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's QAT driver, an out-of-bounds read occurs when the key size is rounded up before copying, allowing memory beyond the key buffer to be read.
Vulnerability
Description
In the Linux kernel's QAT (QuickAssist Technology) crypto driver, an out-of-bounds read vulnerability exists in the qat_alg_skcipher_init_com function when preparing an AER-CTR request. The driver copies a user-provided key into a firmware-accessible data structure. For QAT GEN4 devices, the key size is rounded up by 16 bytes because the device expects a rounded-up size. However, the rounding occurs before the copy is performed before the key is copied, causing the copy operation to read beyond the bounds of the key buffer. This results in a global out-of-bounds read, as reported by KASAN [1].
Exploitation
An attacker can trigger this vulnerability by supplying a key of a size that, when rounded up, exceeds the actual key buffer size. The attack requires the ability to set a cryptographic key via the kernel's crypto API, typically through a crypto_skcipher_setkey call. No special privileges are needed beyond access to the crypto subsystem, which is available to unprivileged users in many configurations. The vulnerability is exploitable when the target device is a QAT GEN4 accelerator [1].
Impact
A successful out-of-bounds read can leak sensitive kernel memory contents to the attacker. The KASAN report shows a read of 32 bytes from a global variable, which could include cryptographic keys, passwords, or other confidential data. This information disclosure could be used to further compromise the system's security, potentially leading to further attacks [1].
Mitigation
The fix is to perform the key copy first and then update the key length, ensuring that the copy size does not exceed the actual key buffer. The patch has been applied to the Linux kernel stable branches, as seen in the referenced commits [1][2][3][4]. Users should update their kernel versions containing this vulnerability should update to a patched version. No workaround is available other than applying the kernel patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
47697139d5dfddc3809f390352b1501f05824f6044cc3030eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.