CVE-2023-54007

Published: Dic 24, 2025 Last Modified: Dic 29, 2025
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

vmci_host: fix a race condition in vmci_host_poll() causing GPF

During fuzzing, a general protection fault is observed in
vmci_host_poll().

general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
<- omitting registers ->
Call Trace:
<TASK>
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22
poll_wait include/linux/poll.h:49 [inline]
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
vfs_poll include/linux/poll.h:88 [inline]
do_pollfd fs/select.c:873 [inline]
do_poll fs/select.c:921 [inline]
do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015
__do_sys_ppoll fs/select.c:1121 [inline]
__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x46/0xb0

Example thread interleaving that causes the general protection fault
is as follows:

CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)
----- -----
// Read uninitialized context
context = vmci_host_dev->context;
// Initialize context
vmci_host_dev->context = vmci_ctx_create();
vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;

if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {
// Dereferencing the wrong pointer
poll_wait(..., &context->host_context);
}

In this scenario, vmci_host_poll() reads vmci_host_dev->context first,
and then reads vmci_host_dev->ct_type to check that
vmci_host_dev->context is initialized. However, since these two reads
are not atomically executed, there is a chance of a race condition as
described above.

To fix this race condition, read vmci_host_dev->context after checking
the value of vmci_host_dev->ct_type so that vmci_host_poll() always
reads an initialized context.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0003
Percentile
0,1th
Updated

EPSS Score Trend (Last 83 Days)

https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79…
https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3
https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16…
https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92
https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054f…
https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c
https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdb…
https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b
https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711…
https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448
https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3c…
https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7
https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213…
https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc
https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd6…
https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9