CVE-2023-52785 scsi: ufs: core: Fix racing issue between ufshcd_mcq_abort() and ISR

2024-05-2115:31:03

Linux

github.com

linux kernel

vulnerability

scsi

ufs

racing issue

error log

command timeout

irq

null pointer

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix racing issue between ufshcd_mcq_abort() and ISR

If command timeout happens and cq complete IRQ is raised at the same time,
ufshcd_mcq_abort clears lprb->cmd and a NULL pointer deref happens in the
ISR. Error log:

ufshcd_abort: Device abort task at tag 18
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000108
pc : [0xffffffe27ef867ac] scsi_dma_unmap+0xc/0x44
lr : [0xffffffe27f1b898c] ufshcd_release_scsi_cmd+0x24/0x114

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "f1304d442077",
        "lessThan": "8f15a7e3c054",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "f1304d442077",
        "lessThan": "f84d461f33a6",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "f1304d442077",
        "lessThan": "27900d7119c4",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/ufs/core/ufs-mcq.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "6.5"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "6.5",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "6.5.13",
        "versionType": "custom",
        "lessThanOrEqual": "6.5.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.7",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/ufs/core/ufs-mcq.c"
    ],
    "defaultStatus": "affected"
  }
]