CVE-2023-53123: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PCI: s390: Fix use-after-free of PCI resources with per-function hotplug On s390 PCI functions may be hotplugged individually even when they belong to a multi-function device. In particular on an SR-IOV device VFs may be removed and later re-added. In commit a50297cf8235 ("s390/pci: separate zbus creation from scanning") it was missed however that struct pci_bus and struct zpci_bus's resource list retained a reference to the PCI functions MMIO resources even though those resources are released and freed on hot-unplug. These stale resources may subsequently be claimed when the PCI function re-appears resulting in use-after-free. One idea of fixing this use-after-free in s390 specific code that was investigated was to simply keep resources around from the moment a PCI function first appeared until the whole virtual PCI bus created for a multi-function device disappears. The problem with this however is that due to the requirement of artificial MMIO addreesses (address cookies) extra logic is then needed to keep the address cookies compatible on re-plug. At the same time the MMIO resources semantically belong to the PCI function so tying their lifecycle to the function seems more logical. Instead a simpler approach is to remove the resources of an individually hot-unplugged PCI function from the PCI bus's resource list while keeping the resources of other PCI functions on the PCI bus untouched. This is done by introducing pci_bus_remove_resource() to remove an individual resource. Similarly the resource also needs to be removed from the struct zpci_bus's resource list. It turns out however, that there is really no need to add the MMIO resources to the struct zpci_bus's resource list at all and instead we can simply use the zpci_bar_struct's resource pointer directly.
AI Analysis
Technical Summary
CVE-2023-53123 is a use-after-free vulnerability identified in the Linux kernel's PCI subsystem specific to the s390 architecture. The issue arises from the handling of PCI functions that can be hotplugged individually, even when they belong to a multi-function device, such as SR-IOV virtual functions (VFs). When a PCI function is hot-unplugged, its associated MMIO (Memory-Mapped I/O) resources are released and freed. However, the kernel's pci_bus and zpci_bus structures retained stale references to these freed resources, leading to a use-after-free condition if the PCI function is later re-added. This stale reference can cause the kernel to access invalid memory, potentially leading to system instability or crashes. The root cause was a missed cleanup of resource references in the resource lists of pci_bus and zpci_bus after hot-unplug events. The fix involved introducing a new function, pci_bus_remove_resource(), to selectively remove resources of individually hot-unplugged PCI functions from the PCI bus's resource list without affecting other functions. Additionally, the patch removed the need to add MMIO resources to the zpci_bus's resource list, instead using direct pointers to the resources, simplifying resource lifecycle management. This vulnerability is specific to the s390 architecture and affects Linux kernel versions containing the commit a50297cf8235, which introduced the flawed resource handling. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations running Linux on s390 hardware platforms, particularly those utilizing PCI hotplug features or SR-IOV virtual functions, this vulnerability could lead to kernel crashes or system instability due to use-after-free memory access. Such instability may cause denial of service conditions affecting critical infrastructure or enterprise systems relying on s390 mainframes. Although no direct remote code execution or privilege escalation is indicated, the potential for system crashes can disrupt business operations, especially in sectors like finance, government, and telecommunications where s390 mainframes are prevalent. The absence of known exploits reduces immediate risk, but organizations should remain vigilant as attackers could develop exploits targeting this vulnerability. The impact is limited to environments using the s390 architecture and PCI hotplug functionality, which narrows the affected scope but remains significant for affected deployments.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2023-53123 once available. Until patches are deployed, organizations can mitigate risk by limiting or disabling PCI hotplug operations on s390 systems where feasible, especially avoiding hot-unplug and re-plug cycles of PCI functions. Monitoring kernel logs for unusual PCI hotplug events or errors related to resource management can help detect potential exploitation attempts or instability. Additionally, organizations should ensure robust backup and recovery procedures for critical s390 systems to minimize downtime in case of crashes. Engaging with Linux distribution vendors for timely patch releases and testing patches in staging environments before production deployment is recommended to ensure stability. Finally, maintaining updated inventories of s390 hardware and PCI configurations will aid in targeted mitigation efforts.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy
CVE-2023-53123: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PCI: s390: Fix use-after-free of PCI resources with per-function hotplug On s390 PCI functions may be hotplugged individually even when they belong to a multi-function device. In particular on an SR-IOV device VFs may be removed and later re-added. In commit a50297cf8235 ("s390/pci: separate zbus creation from scanning") it was missed however that struct pci_bus and struct zpci_bus's resource list retained a reference to the PCI functions MMIO resources even though those resources are released and freed on hot-unplug. These stale resources may subsequently be claimed when the PCI function re-appears resulting in use-after-free. One idea of fixing this use-after-free in s390 specific code that was investigated was to simply keep resources around from the moment a PCI function first appeared until the whole virtual PCI bus created for a multi-function device disappears. The problem with this however is that due to the requirement of artificial MMIO addreesses (address cookies) extra logic is then needed to keep the address cookies compatible on re-plug. At the same time the MMIO resources semantically belong to the PCI function so tying their lifecycle to the function seems more logical. Instead a simpler approach is to remove the resources of an individually hot-unplugged PCI function from the PCI bus's resource list while keeping the resources of other PCI functions on the PCI bus untouched. This is done by introducing pci_bus_remove_resource() to remove an individual resource. Similarly the resource also needs to be removed from the struct zpci_bus's resource list. It turns out however, that there is really no need to add the MMIO resources to the struct zpci_bus's resource list at all and instead we can simply use the zpci_bar_struct's resource pointer directly.
AI-Powered Analysis
Technical Analysis
CVE-2023-53123 is a use-after-free vulnerability identified in the Linux kernel's PCI subsystem specific to the s390 architecture. The issue arises from the handling of PCI functions that can be hotplugged individually, even when they belong to a multi-function device, such as SR-IOV virtual functions (VFs). When a PCI function is hot-unplugged, its associated MMIO (Memory-Mapped I/O) resources are released and freed. However, the kernel's pci_bus and zpci_bus structures retained stale references to these freed resources, leading to a use-after-free condition if the PCI function is later re-added. This stale reference can cause the kernel to access invalid memory, potentially leading to system instability or crashes. The root cause was a missed cleanup of resource references in the resource lists of pci_bus and zpci_bus after hot-unplug events. The fix involved introducing a new function, pci_bus_remove_resource(), to selectively remove resources of individually hot-unplugged PCI functions from the PCI bus's resource list without affecting other functions. Additionally, the patch removed the need to add MMIO resources to the zpci_bus's resource list, instead using direct pointers to the resources, simplifying resource lifecycle management. This vulnerability is specific to the s390 architecture and affects Linux kernel versions containing the commit a50297cf8235, which introduced the flawed resource handling. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations running Linux on s390 hardware platforms, particularly those utilizing PCI hotplug features or SR-IOV virtual functions, this vulnerability could lead to kernel crashes or system instability due to use-after-free memory access. Such instability may cause denial of service conditions affecting critical infrastructure or enterprise systems relying on s390 mainframes. Although no direct remote code execution or privilege escalation is indicated, the potential for system crashes can disrupt business operations, especially in sectors like finance, government, and telecommunications where s390 mainframes are prevalent. The absence of known exploits reduces immediate risk, but organizations should remain vigilant as attackers could develop exploits targeting this vulnerability. The impact is limited to environments using the s390 architecture and PCI hotplug functionality, which narrows the affected scope but remains significant for affected deployments.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2023-53123 once available. Until patches are deployed, organizations can mitigate risk by limiting or disabling PCI hotplug operations on s390 systems where feasible, especially avoiding hot-unplug and re-plug cycles of PCI functions. Monitoring kernel logs for unusual PCI hotplug events or errors related to resource management can help detect potential exploitation attempts or instability. Additionally, organizations should ensure robust backup and recovery procedures for critical s390 systems to minimize downtime in case of crashes. Engaging with Linux distribution vendors for timely patch releases and testing patches in staging environments before production deployment is recommended to ensure stability. Finally, maintaining updated inventories of s390 hardware and PCI configurations will aid in targeted mitigation efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-02T15:51:43.555Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9830c4522896dcbe7072
Added to database: 5/21/2025, 9:09:04 AM
Last enriched: 7/1/2025, 4:41:48 AM
Last updated: 8/12/2025, 1:01:28 AM
Views: 11
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.