LiveActive security incident?Get immediate response
CVE Record

CVE-2023-52474: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a Here are the specific bugs: 1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet. 2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages. This has not been an issue with SDMA packets from hfi1 Verbs or PSM2 because they only produce iovecs that end short of PAGE_SIZE as the tail iovec of an SDMA request. Fixing these bugs exposes other bugs with the SDMA pin cache (struct mmu_rb_handler) that get in way of supporting user SDMA requests with multiple payload iovecs whose buffers do not end at PAGE_SIZE. So this commit fixes those issues as well. Here are the mmu_rb_handler bugs that non-PAGE_SIZE-end multi-iovec payload user SDMA requests can hit: 1. Overlapping memory ranges in mmu_rb_handler will result in duplicate pinnings. 2. When extending an existing mmu_rb_handler entry (struct mmu_rb_node), the mmu_rb code (1) removes the existing entry under a lock, (2) releases that lock, pins the new pages, (3) then reacquires the lock to insert the extended mmu_rb_node. If someone else comes in and inserts an overlapping entry between (2) and (3), insert in (3) will fail. The failure path code in this case unpins _all_ pages in either the original mmu_rb_node or the new mmu_rb_node that was inserted between (2) and (3). 3. In hfi1_mmu_rb_remove_unless_exact(), mmu_rb_node->refcount is incremented outside of mmu_rb_handler->lock. As a result, mmu_rb_node could be evicted by another thread that gets mmu_rb_handler->lock and checks mmu_rb_node->refcount before mmu_rb_node->refcount is incremented. 4. Related to #2 above, SDMA request submission failure path does not check mmu_rb_node->refcount before freeing mmu_rb_node object. If there are other SDMA requests in progress whose iovecs have pointers to the now-freed mmu_rb_node(s), those pointers to the now-freed mmu_rb nodes will be dereferenced when those SDMA requests complete.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-52474 is a Linux kernel bug in the hfi1 InfiniBand/Omni-Path driver. Under specific user SDMA request patterns, the driver can transmit unintended or wrong data and hit memory-management races. Business urgency is highest for HPC or research environments using hfi1 hardware and user SDMA.

Executive priority

Treat as targeted infrastructure maintenance, not a broad emergency. Patch promptly where hfi1 is deployed, especially shared HPC systems where kernel data corruption or driver memory bugs can disrupt workloads.

Technical view

The hfi1 user SDMA path mishandles multi-iovec payloads when a non-tail iovec ends before a page boundary. user_sdma_txadd can ignore iov_len and packet assembly can fail to advance iovecs correctly. Related mmu_rb_handler pin-cache bugs include overlapping pins, race conditions, and possible dereference of freed mmu_rb_node objects.

Likely exposure

Exposure appears limited to Linux systems using the hfi1 driver and user SDMA. The source notes hfi1 Verbs and PSM2 did not produce the problematic iovec pattern. General Linux systems without hfi1 hardware or loaded driver are unlikely to be exposed.

Exploitation context

CISA KEV is false, and the provided sources do not report active exploitation. The issue is not described as remotely exploitable. Triggering depends on specialized hfi1 user SDMA request handling with multi-iovec buffers that do not align to page boundaries.

Researcher notes

Evidence is limited to the Linux kernel CVE description and stable commit references. No CVSS, CWE, exploit report, or distribution-specific advisory is included in the provided bundle. Avoid assuming impact beyond data corruption and the documented pin-cache race/use-after-free conditions.

Mitigation direction

  • Apply vendor or distribution kernel updates containing the referenced stable Linux fixes.
  • Prioritize HPC clusters and systems with hfi1 or Intel Omni-Path adapters.
  • If hfi1 is unused, consider disabling it according to vendor guidance.
  • Review vendor advisories for exact fixed package versions.

Validation and detection

  • Inventory Linux kernel versions on systems with hfi1-capable hardware.
  • Check whether the hfi1 driver is present, loaded, or packaged.
  • Confirm kernel builds include the relevant stable commits or vendor backports.
  • Review workload use of hfi1 user SDMA, not just generic InfiniBand use.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-52474 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux7724105686e718ac476a6ad3304fea2fbcfcffde, 7724105686e718ac476a6ad3304fea2fbcfcffde, 7724105686e718ac476a6ad3304fea2fbcfcffde, 7724105686e718ac476a6ad3304fea2fbcfcffde, 7724105686e718ac476a6ad3304fea2fbcfcffde, 7724105686e718ac476a6ad3304fea2fbcfcffdeunaffected
LinuxLinux4.3, 0, 5.10.180, 5.15.111, 6.1.28, 6.2.15, 6.3.2, 6.4affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.