{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses",
    "id" : "2425107",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425107"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-843",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npowerpc/iommu: Fix notifiers being shared by PCI and VIO buses\nfail_iommu_setup() registers the fail_iommu_bus_notifier struct to both\nPCI and VIO buses.  struct notifier_block is a linked list node, so this\ncauses any notifiers later registered to either bus type to also be\nregistered to the other since they share the same node.\nThis causes issues in (at least) the vgaarb code, which registers a\nnotifier for PCI buses.  pci_notify() ends up being called on a vio\ndevice, converted with to_pci_dev() even though it's not a PCI device,\nand finally makes a bad access in vga_arbiter_add_pci_device() as\ndiscovered with KASAN:\nBUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00\nRead of size 4 at addr c000000264c26fdc by task swapper/0/1\nCall Trace:\ndump_stack_lvl+0x1bc/0x2b8 (unreliable)\nprint_report+0x3f4/0xc60\nkasan_report+0x244/0x698\n__asan_load4+0xe8/0x250\nvga_arbiter_add_pci_device+0x60/0xe00\npci_notify+0x88/0x444\nnotifier_call_chain+0x104/0x320\nblocking_notifier_call_chain+0xa0/0x140\ndevice_add+0xac8/0x1d30\ndevice_register+0x58/0x80\nvio_register_device_node+0x9ac/0xce0\nvio_bus_scan_register_devices+0xc4/0x13c\n__machine_initcall_pseries_vio_device_init+0x94/0xf0\ndo_one_initcall+0x12c/0xaa8\nkernel_init_freeable+0xa48/0xba8\nkernel_init+0x64/0x400\nret_from_kernel_thread+0x5c/0x64\nFix this by creating separate notifier_block structs for each bus type.\n[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]", "A slab-out-of-bounds read vulnerability was found in the Linux kernel's PowerPC IOMMU code. The fail_iommu_setup() function registers the same notifier_block structure to both PCI and VIO buses. Since notifier_block is a linked list node, this causes notifiers registered to one bus type to also apply to the other. The VGA arbiter code then incorrectly processes VIO devices as PCI devices, causing an out-of-bounds memory access." ],
  "statement" : "This flaw affects only PowerPC systems with both PCI and VIO buses, typically IBM POWER servers running with IOMMU fail injection enabled. The out-of-bounds read occurs during device registration at boot time. Most PowerPC systems in production do not enable fail_iommu, limiting the practical impact.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54095\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54095\nhttps://lore.kernel.org/linux-cve-announce/2025122408-CVE-2023-54095-7fe0@gregkh/T" ],
  "name" : "CVE-2023-54095",
  "csaw" : false
}