Incomplete Cleanup Affecting kernel-rt-64k-devel-matched package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS9-KERNELRT64KDEVELMATCHED-12725180
- published16 Sept 2025
- disclosed15 Sept 2025
Introduced: 15 Sep 2025
NewCVE-2023-53169 (opens in a new tab)How to fix?
There is no fixed version for Centos:9 kernel-rt-64k-devel-matched.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-rt-64k-devel-matched package and not the kernel-rt-64k-devel-matched package as distributed by Centos.
See How to fix? for Centos:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
x86/resctrl: Clear staged_config[] before and after it is used
As a temporary storage, staged_config[] in rdt_domain should be cleared before and after it is used. The stale value in staged_config[] could cause an MSR access error.
Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3 Cache (MBA should be disabled if the number of CLOSIDs for MB is less than 16.) : mount -t resctrl resctrl -o cdp /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..7} umount /sys/fs/resctrl/ mount -t resctrl resctrl /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..8}
An error occurs when creating resource group named p8: unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60) Call Trace: <IRQ> __flush_smp_call_function_queue+0x11d/0x170 __sysvec_call_function+0x24/0xd0 sysvec_call_function+0x89/0xc0 </IRQ> <TASK> asm_sysvec_call_function+0x16/0x20
When creating a new resource control group, hardware will be configured by the following process: rdtgroup_mkdir() rdtgroup_mkdir_ctrl_mon() rdtgroup_init_alloc() resctrl_arch_update_domains()
resctrl_arch_update_domains() iterates and updates all resctrl_conf_type whose have_new_ctrl is true. Since staged_config[] holds the same values as when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA configurations. When group p8 is created, get_config_index() called in resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for CDP_CODE and CDP_DATA, which will be translated to an invalid register - 0xca0 in this scenario.
Fix it by clearing staged_config[] before and after it is used.
[reinette: re-order commit tags]
References
- https://access.redhat.com/security/cve/CVE-2023-53169
- https://git.kernel.org/stable/c/0424a7dfe9129b93f29b277511a60e87f052ac6b
- https://git.kernel.org/stable/c/3fc5941ecc31a495b6b84b465f36155009db99b5
- https://git.kernel.org/stable/c/86db319d25db70cf4af4557e05f6fa6f39c70003
- https://git.kernel.org/stable/c/8ecc60ef9318f0d533b866fa421858cc185bccfc