CVE-2023-54060 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Set end correctly when doing batch carry
Even though the test suite covers this it somehow became obscured that this wasn't working.
The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely.
end should be set to 1 because this just pushed an item, the carry, to the pfns list.
Sometimes the test would blow up with:
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP
CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd]
Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd]
? batch_unpin+0xba/0x100 [iommufd]
__iopt_area_unfill_domain+0x198/0x430 [iommufd]
? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd]
? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd]
iopt_table_remove_domain+0x195/0x320 [iommufd]
iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd]
iommufd_object_destroy_user+0x8e/0xf0 [iommufd]
iommufd_device_detach+0xc5/0x140 [iommufd]
iommufd_selftest_destroy+0x1f/0x70 [iommufd]
iommufd_object_destroy_user+0x8e/0xf0 [iommufd]
iommufd_destroy+0x3a/0x50 [iommufd]
iommufd_fops_ioctl+0xfb/0x170 [iommufd]
__x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/30/2025
The vulnerability identified as CVE-2023-54060 resides within the Linux kernel's iommufd subsystem, specifically affecting how batch operations handle carry mechanisms during memory management. This flaw manifests in the incorrect setting of the end parameter when processing batch carry operations, leading to a critical NULL pointer dereference under certain conditions. The issue was initially obscured despite existing test coverage, indicating a gap in validation that allowed the bug to persist until it was triggered during rare execution paths in the iommufd_ioas.mock_domain.access_domain_destory test case. The root cause lies in the improper assignment of the end variable to zero instead of one when pushing a carry item to the pfns list, which subsequently results in invalid memory access patterns.
The technical impact of this vulnerability is severe as it leads to a kernel NULL pointer dereference, specifically occurring in the batch_unpin function within the iommufd module. The kernel oops trace shows the execution path leading to the fault at RIP: 0010:batch_unpin+0xa2/0x100, where the system attempts to read from address zero, indicating a complete failure in memory management handling. This type of fault represents a classic kernel-level memory corruption issue that can lead to system crashes, denial of service, or potentially more serious security implications if exploited. The vulnerability is categorized under CWE-476 as a NULL Pointer Dereference, which is a well-known class of software defects that can result in system instability and potential privilege escalation scenarios.
The operational impact of CVE-2023-54060 extends beyond simple system crashes as it affects the stability of systems relying on IOMMU (Input-Output Memory Management Unit) functionality and virtualization capabilities. The iommufd subsystem is critical for managing IOMMU domains and memory mappings in virtualized environments, making this vulnerability particularly dangerous for cloud infrastructure, containerized applications, and systems implementing hardware-assisted virtualization. The rare occurrence of the bug means that it might not be immediately apparent during normal system operation but can manifest during specific stress conditions or when the memory management subsystem is under heavy load. This characteristic makes the vulnerability particularly insidious as it may remain undetected until system resources are exhausted or specific access patterns are triggered.
Mitigation strategies for this vulnerability primarily involve applying the kernel patch that correctly sets the end parameter to one when handling batch carry operations, ensuring that the pfns list is properly managed during memory management tasks. System administrators should prioritize updating to kernel versions that include the fix, particularly those containing the commit that addresses this specific issue in the iommufd subsystem. The fix aligns with ATT&CK technique T1547.001 for privilege escalation and T1499.004 for denial of service, as it prevents exploitation that could lead to system instability or unauthorized access. Additionally, monitoring systems for kernel oops messages or memory management errors related to iommufd should be implemented as part of a comprehensive security posture. Organizations using virtualized environments or systems requiring robust IOMMU functionality should conduct immediate assessments to determine their exposure and implement necessary updates to prevent potential exploitation of this vulnerability.