In the Linux kernel, the following vulnerability has been resolved:
PCI: s390: Fix use-after-free of PCI resources with per-function hotplug
On s390 PCI functions may be hotplugged individually even when they belong to a multi-function device. In particular on an SR-IOV device VFs may be removed and later re-added.
In commit a50297cf8235 ("s390/pci: separate zbus creation from scanning") it was missed however that struct pcibus and struct zpcibus's resource list retained a reference to the PCI functions MMIO resources even though those resources are released and freed on hot-unplug. These stale resources may subsequently be claimed when the PCI function re-appears resulting in use-after-free.
One idea of fixing this use-after-free in s390 specific code that was investigated was to simply keep resources around from the moment a PCI function first appeared until the whole virtual PCI bus created for a multi-function device disappears. The problem with this however is that due to the requirement of artificial MMIO addreesses (address cookies) extra logic is then needed to keep the address cookies compatible on re-plug. At the same time the MMIO resources semantically belong to the PCI function so tying their lifecycle to the function seems more logical.
Instead a simpler approach is to remove the resources of an individually hot-unplugged PCI function from the PCI bus's resource list while keeping the resources of other PCI functions on the PCI bus untouched.
This is done by introducing pcibusremoveresource() to remove an individual resource. Similarly the resource also needs to be removed from the struct zpcibus's resource list. It turns out however, that there is really no need to add the MMIO resources to the struct zpcibus's resource list at all and instead we can simply use the zpcibar_struct's resource pointer directly.
{ "vanir_signatures": [ { "deprecated": false, "id": "CVE-2023-53123-041ba4fa", "target": { "file": "drivers/pci/bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "118679382537930957154535140349783738179", "281655688068025922267986776790984208415", "131507534215053977639171825805358412403" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-0d02b59a", "target": { "file": "drivers/pci/bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "118679382537930957154535140349783738179", "281655688068025922267986776790984208415", "131507534215053977639171825805358412403" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-0f5dd15f", "target": { "file": "arch/s390/pci/pci_bus.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "317819449502354487224709707228766432211", "138257642692013244905723468836031485056", "228863253035388144469771248769947532476", "154864131174548827065716553463253772562", "140316401843620090046496497903442683962" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-1af63427", "target": { "file": "arch/s390/pci/pci_bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "294133994522502924365739799441368121797", "292668984721369946475003217593259822303", "115764445141699655574577628543740185267", "142773325611898105432043572989756465727", "108368363759866619408491991374542056474", "230148755646320478140048062673299993783", "37954443785041466498357000978419811484", "93368266629917822083366097242676880150", "123129200435063920387247289426537667504", "304227199129942710527698098633357509735", "157889436270735415918247242155300898353", "18322650281179097135599423024167223288", "100678556880832198784529742707217668725" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-23830100", "target": { "file": "arch/s390/pci/pci_bus.c", "function": "zpci_bus_prepare_device" }, "signature_version": "v1", "digest": { "function_hash": "52164028261423929170307415756811080114", "length": 497.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-25751a4a", "target": { "file": "arch/s390/pci/pci.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325781064456388941679507112619781822763", "312365143732866377330603001967119650287", "289690917057128184271556106276559185394", "61627444893034144668381583154165419495", "78682090200717345330406481068400259136", "160105349063949356901112816047865465739", "214462911240444529635124841250418156005", "92480870811475025491351793089138009622", "161469289907061317108625263099159788627", "244387710225459349190578586933122168979", "125306950611578360213926938391934568528", "86142813639693542599820669930152123159", "302802800002764130755888908860448687573", "155914742961339574162418388638379455224", "227514375946754821112921748329642921095", "36711566270233224131751625987996074195", "36425534284685118476459177238123614098", "217615758233504228998126977039669698047", "75028876239898605235527887937064991943", "189522324701421747884028511485954549194", "311815995187707901157793280880493298456", "37053594849208054444345085047088153077" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-29ac6548", "target": { "file": "arch/s390/pci/pci.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325781064456388941679507112619781822763", "312365143732866377330603001967119650287", "289690917057128184271556106276559185394", "61627444893034144668381583154165419495", "78682090200717345330406481068400259136", "160105349063949356901112816047865465739", "214462911240444529635124841250418156005", "92480870811475025491351793089138009622", "161469289907061317108625263099159788627", "244387710225459349190578586933122168979", "125306950611578360213926938391934568528", "86142813639693542599820669930152123159", "302802800002764130755888908860448687573", "155914742961339574162418388638379455224", "227514375946754821112921748329642921095", "36711566270233224131751625987996074195", "36425534284685118476459177238123614098", "217615758233504228998126977039669698047", "75028876239898605235527887937064991943", "189522324701421747884028511485954549194", "337171209168094253788834612978195441605", "236498915560888431536885100141573606979" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-2a4f6362", "target": { "file": "arch/s390/pci/pci_bus.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "317819449502354487224709707228766432211", "138257642692013244905723468836031485056", "228863253035388144469771248769947532476", "154864131174548827065716553463253772562", "140316401843620090046496497903442683962" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-366852de", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_setup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "237937314167741240380230147723967966749", "length": 953.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-3c41d7c5", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_setup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "237937314167741240380230147723967966749", "length": 953.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-4ae0c0cd", "target": { "file": "arch/s390/pci/pci_bus.c", "function": "zpci_bus_prepare_device" }, "signature_version": "v1", "digest": { "function_hash": "52164028261423929170307415756811080114", "length": 497.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-4d169d9c", "target": { "file": "include/linux/pci.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "192509447969621544912915375462558756767", "8550967772114902259293924068325680416", "190746479397105921250385406323355419649", "15733014697872534899543900019805229871" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-5331494f", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_cleanup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "45069774529544699083814320971988790059", "length": 361.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-5deb0271", "target": { "file": "arch/s390/pci/pci_bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "294133994522502924365739799441368121797", "292668984721369946475003217593259822303", "115764445141699655574577628543740185267", "142773325611898105432043572989756465727", "108368363759866619408491991374542056474", "230148755646320478140048062673299993783", "37954443785041466498357000978419811484", "93368266629917822083366097242676880150", "123129200435063920387247289426537667504", "304227199129942710527698098633357509735", "157889436270735415918247242155300898353", "18322650281179097135599423024167223288", "100678556880832198784529742707217668725" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-74089648", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_setup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "237937314167741240380230147723967966749", "length": 953.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-7889b82c", "target": { "file": "arch/s390/pci/pci.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325781064456388941679507112619781822763", "312365143732866377330603001967119650287", "289690917057128184271556106276559185394", "61627444893034144668381583154165419495", "78682090200717345330406481068400259136", "160105349063949356901112816047865465739", "214462911240444529635124841250418156005", "92480870811475025491351793089138009622", "161469289907061317108625263099159788627", "244387710225459349190578586933122168979", "125306950611578360213926938391934568528", "86142813639693542599820669930152123159", "302802800002764130755888908860448687573", "155914742961339574162418388638379455224", "227514375946754821112921748329642921095", "36711566270233224131751625987996074195", "36425534284685118476459177238123614098", "217615758233504228998126977039669698047", "75028876239898605235527887937064991943", "189522324701421747884028511485954549194", "311815995187707901157793280880493298456", "37053594849208054444345085047088153077" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-7fceb687", "target": { "file": "arch/s390/pci/pci_bus.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "317819449502354487224709707228766432211", "138257642692013244905723468836031485056", "76074474508491885576589791273392971570", "197179560815709958219700303703829997903", "205026036825020876151671805597224723030" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-9677a9ac", "target": { "file": "include/linux/pci.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "192509447969621544912915375462558756767", "8550967772114902259293924068325680416", "190746479397105921250385406323355419649", "15733014697872534899543900019805229871" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-985bc2a9", "target": { "file": "arch/s390/pci/pci_bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "294133994522502924365739799441368121797", "292668984721369946475003217593259822303", "115764445141699655574577628543740185267", "142773325611898105432043572989756465727", "108368363759866619408491991374542056474", "230148755646320478140048062673299993783", "37954443785041466498357000978419811484", "93368266629917822083366097242676880150", "123129200435063920387247289426537667504", "304227199129942710527698098633357509735", "157889436270735415918247242155300898353", "18322650281179097135599423024167223288", "100678556880832198784529742707217668725" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-a0b4e20c", "target": { "file": "include/linux/pci.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "192509447969621544912915375462558756767", "8550967772114902259293924068325680416", "190746479397105921250385406323355419649", "15733014697872534899543900019805229871" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-a1bb90ee", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_cleanup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "45069774529544699083814320971988790059", "length": 361.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-b2b62b07", "target": { "file": "arch/s390/pci/pci.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "325781064456388941679507112619781822763", "312365143732866377330603001967119650287", "289690917057128184271556106276559185394", "61627444893034144668381583154165419495", "78682090200717345330406481068400259136", "160105349063949356901112816047865465739", "214462911240444529635124841250418156005", "92480870811475025491351793089138009622", "161469289907061317108625263099159788627", "244387710225459349190578586933122168979", "125306950611578360213926938391934568528", "86142813639693542599820669930152123159", "302802800002764130755888908860448687573", "155914742961339574162418388638379455224", "227514375946754821112921748329642921095", "36711566270233224131751625987996074195", "36425534284685118476459177238123614098", "217615758233504228998126977039669698047", "75028876239898605235527887937064991943", "189522324701421747884028511485954549194", "311815995187707901157793280880493298456", "37053594849208054444345085047088153077" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-bda505a7", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_setup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "237937314167741240380230147723967966749", "length": 953.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-c1db6977", "target": { "file": "arch/s390/pci/pci_bus.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "317819449502354487224709707228766432211", "138257642692013244905723468836031485056", "228863253035388144469771248769947532476", "154864131174548827065716553463253772562", "140316401843620090046496497903442683962" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-c49b51b5", "target": { "file": "arch/s390/pci/pci_bus.c", "function": "zpci_bus_prepare_device" }, "signature_version": "v1", "digest": { "function_hash": "52164028261423929170307415756811080114", "length": 497.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-d1a9b1c7", "target": { "file": "drivers/pci/bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "118679382537930957154535140349783738179", "281655688068025922267986776790984208415", "131507534215053977639171825805358412403" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a2410d0c3d2d714ed968a135dfcbed6aa3ff7027", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-d7e15383", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_cleanup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "45069774529544699083814320971988790059", "length": 361.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-d874a513", "target": { "file": "arch/s390/pci/pci_bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "294133994522502924365739799441368121797", "292668984721369946475003217593259822303", "115764445141699655574577628543740185267", "142773325611898105432043572989756465727", "108368363759866619408491991374542056474", "230148755646320478140048062673299993783", "37954443785041466498357000978419811484", "93368266629917822083366097242676880150", "123129200435063920387247289426537667504", "304227199129942710527698098633357509735", "157889436270735415918247242155300898353", "18322650281179097135599423024167223288", "100678556880832198784529742707217668725" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-df825f45", "target": { "file": "drivers/pci/bus.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "118679382537930957154535140349783738179", "281655688068025922267986776790984208415", "131507534215053977639171825805358412403" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@437bb839e36cc9f35adc6d2a2bf113b7a0fc9985", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-f0c40803", "target": { "file": "arch/s390/pci/pci.c", "function": "zpci_cleanup_bus_resources" }, "signature_version": "v1", "digest": { "function_hash": "45069774529544699083814320971988790059", "length": 361.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Function" }, { "deprecated": false, "id": "CVE-2023-53123-fd2adb11", "target": { "file": "include/linux/pci.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "192509447969621544912915375462558756767", "8550967772114902259293924068325680416", "190746479397105921250385406323355419649", "15733014697872534899543900019805229871" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b99ebf4b62774e690e73a551cf5fbf6f219bdd96", "signature_type": "Line" }, { "deprecated": false, "id": "CVE-2023-53123-ffd3e7ab", "target": { "file": "arch/s390/pci/pci_bus.c", "function": "zpci_bus_prepare_device" }, "signature_version": "v1", "digest": { "function_hash": "52164028261423929170307415756811080114", "length": 497.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab909509850b27fd39b8ba99e44cda39dbc3858c", "signature_type": "Function" } ] }