CVE-2023-53510

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: ufs: core: Fix handling of lrbp->cmd

ufshcd_queuecommand() may be called two times in a row for a SCSI command before it is completed. Hence make the following changes:

  • In the functions that submit a command, do not check the old value of lrbp->cmd nor clear lrbp->cmd in error paths.

  • In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd.

See also scsi_send_eh_cmnd().

This commit prevents that the following appears if a command times out:

WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8 Call trace: ufshcd_queuecommand+0x6f8/0x9a8 scsi_send_eh_cmnd+0x2c0/0x960 scsi_eh_test_devices+0x100/0x314 scsi_eh_ready_devs+0xd90/0x114c scsi_error_handler+0x2b4/0xb70 kthread+0x16c/0x1e0

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5a0b0cb9bee767ef10ff9ce2fb4141af06416288 < b6d76d63c6d21d5d26c301a46853a2aee72397d5affected
LinuxLinux5a0b0cb9bee767ef10ff9ce2fb4141af06416288 < f3ee24af62681b942bbd799ac77b90a6d7e1fdb1affected
LinuxLinux5a0b0cb9bee767ef10ff9ce2fb4141af06416288 < 49234a401e161a2f2698f4612ab792c49b3cad1baffected
LinuxLinux5a0b0cb9bee767ef10ff9ce2fb4141af06416288 < 549e91a9bbaa0ee480f59357868421a61d369770affected
LinuxLinux3.12affected
LinuxLinux0 < 3.12unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.3.13 <= 6.3.*unaffected
LinuxLinux6.4.4 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References