Bug 2424946 (CVE-2023-53998) - CVE-2023-53998 kernel: hwrng: virtio - Fix race on data_avail and actual data
Summary: CVE-2023-53998 kernel: hwrng: virtio - Fix race on data_avail and actual data
Keywords:
Status: NEW
Alias: CVE-2023-53998
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-24 12:02 UTC by OSIDB Bzimport
Modified: 2026-04-01 17:58 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-24 12:02:46 UTC 
In the Linux kernel, the following vulnerability has been resolved:

hwrng: virtio - Fix race on data_avail and actual data

The virtio rng device kicks off a new entropy request whenever the
data available reaches zero.  When a new request occurs at the end
of a read operation, that is, when the result of that request is
only needed by the next reader, then there is a race between the
writing of the new data and the next reader.

This is because there is no synchronisation whatsoever between the
writer and the reader.

Fix this by writing data_avail with smp_store_release and reading
it with smp_load_acquire when we first enter read.  The subsequent
reads are safe because they're either protected by the first load
acquire, or by the completion mechanism.

Also remove the redundant zeroing of data_idx in random_recv_done
(data_idx must already be zero at this point) and data_avail in
request_entropy (ditto).
Comment 1 Alexander B 2025-12-25 13:56:04 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122426-CVE-2023-53998-2282@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.