CVE-2023-52808 in Linuxinfo

Summary

by MITRE • 05/21/2024

In the Linux kernel, the following vulnerability has been resolved:

scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs

If init debugfs failed during device registration due to memory allocation failure, debugfs_remove_recursive() is called, after which debugfs_dir is not set to NULL. debugfs_remove_recursive() will be called again during device removal. As a result, illegal pointer is accessed.

[ 1665.467244] hisi_sas_v3_hw 0000:b4:02.0: failed to init debugfs!
... [ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 1669.872669] pc : down_write+0x24/0x70
[ 1669.876315] lr : down_write+0x1c/0x70
[ 1669.879961] sp : ffff000036f53a30
[ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8
[ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000
[ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270
[ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8
[ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310
[ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10
[ 1669.914982] x17: 0000000000000000 x16: 0000000000000000
[ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870
[ 1669.925555] x13: 0000000000000040 x12: 0000000000000228
[ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0
[ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10
[ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff
[ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00
[ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000
[ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001
[ 1669.962563] Call trace:
[ 1669.965000] down_write+0x24/0x70
[ 1669.968301] debugfs_remove_recursive+0x5c/0x1b0
[ 1669.972905] hisi_sas_debugfs_exit+0x24/0x30 [hisi_sas_main]
[ 1669.978541] hisi_sas_v3_remove+0x130/0x150 [hisi_sas_v3_hw]
[ 1669.984175] pci_device_remove+0x48/0xd8
[ 1669.988082] device_release_driver_internal+0x1b4/0x250
[ 1669.993282] device_release_driver+0x28/0x38
[ 1669.997534] pci_stop_bus_device+0x84/0xb8
[ 1670.001611] pci_stop_and_remove_bus_device_locked+0x24/0x40
[ 1670.007244] remove_store+0xfc/0x140
[ 1670.010802] dev_attr_store+0x44/0x60
[ 1670.014448] sysfs_kf_write+0x58/0x80
[ 1670.018095] kernfs_fop_write+0xe8/0x1f0
[ 1670.022000] __vfs_write+0x60/0x190
[ 1670.025472] vfs_write+0xac/0x1c0
[ 1670.028771] ksys_write+0x6c/0xd8
[ 1670.032071] __arm64_sys_write+0x24/0x30
[ 1670.035977] el0_svc_common+0x78/0x130
[ 1670.039710] el0_svc_handler+0x38/0x78
[ 1670.043442] el0_svc+0x8/0xc

To fix this, set debugfs_dir to NULL after debugfs_remove_recursive().

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/21/2024

The vulnerability described in CVE-2023-52808 resides within the Linux kernel's SCSI subsystem, specifically in the hisi_sas driver responsible for handling Hisi SAS controllers. This flaw manifests as a double-free or use-after-free condition that arises from improper handling of debugfs directory pointers during device initialization and removal phases. When memory allocation fails during debugfs initialization, the driver invokes debugfs_remove_recursive() but neglects to set the debugfs_dir pointer to NULL, leading to subsequent access of a stale pointer during device removal.

The technical root cause of this issue lies in the driver's failure to properly manage the lifecycle of the debugfs directory structure. During device registration, if debugfs initialization fails due to memory constraints, the code path executes debugfs_remove_recursive() on what may already be a null or invalid pointer. Subsequently, during normal device removal, the same function gets called again, resulting in a kernel NULL pointer dereference at virtual address 0x00000000000000a0. This specific memory access pattern triggers a kernel oops and can lead to system instability or potential privilege escalation depending on the execution context.

The operational impact of this vulnerability is significant within embedded systems and server environments that utilize Hisi SAS controllers, particularly those running Linux kernels with affected versions. The flaw can cause system crashes or panics during device removal operations, potentially leading to denial of service conditions. From a cybersecurity perspective, this vulnerability aligns with CWE-476 which describes NULL pointer dereference, and can be categorized under ATT&CK technique T1490 for deletion of system data and T1547.001 for registry run keys. The vulnerability represents a classic case of improper resource management where the debugfs subsystem's cleanup routines fail to maintain proper state tracking.

The fix for CVE-2023-52808 implements a straightforward but critical defensive programming measure that sets the debugfs_dir pointer to NULL immediately after calling debugfs_remove_recursive(). This simple yet essential modification ensures that subsequent calls to debugfs removal functions will not attempt to operate on freed or invalid memory locations. The solution follows established kernel development practices for managing debugfs resources and prevents the double invocation of cleanup routines that leads to the NULL pointer dereference. Organizations should prioritize patching affected systems to prevent exploitation of this vulnerability, particularly in mission-critical environments where system stability is paramount and where the presence of Hisi SAS controllers has been identified.

Disclosure

05/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00239

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!