CVE-2023-52608
Vulnerability from cvelistv5
Published
2024-03-13 14:01
Modified
2024-12-19 08:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at first and then, if the message sequence number identifies a transaction which is still pending, the related payload is fetched too. When an SCMI command times out the channel ownership remains with the platform until eventually a late reply is received and, as a consequence, any further transmission attempt remains pending, waiting for the channel to be relinquished by the platform. Once that late reply is received the channel ownership is given back to the agent and any pending request is then allowed to proceed and overwrite the SMT area of the just delivered late reply; then the wait for the reply to the new request starts. It has been observed that the spurious IRQ related to the late reply can be wrongly associated with the freshly enqueued request: when that happens the SCMI stack in-flight lookup procedure is fooled by the fact that the message header now present in the SMT area is related to the new pending transaction, even though the real reply has still to arrive. This race-condition on the A2P channel can be detected by looking at the channel status bits: a genuine reply from the platform will have set the channel free bit before triggering the completion IRQ. Add a consistency check to validate such condition in the A2P ISR.
Impacted products
Vendor Product Version
Linux Linux Version: 5.7
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52608",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-06T17:50:57.700750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T17:51:11.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.210Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/mailbox.c",
            "drivers/firmware/arm_scmi/shmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "614cc65032dcb0b64d23f5c5e338a8a04b12be5d",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "7f95f6997f4fdd17abec3200cae45420a5489350",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "12dc4217f16551d6dee9cbefc23fdb5659558cda",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            },
            {
              "lessThan": "437a310b22244d4e0b78665c3042e5d1c0f45306",
              "status": "affected",
              "version": "5c8a47a5a91d4d6e185f758d61997613d9c5d6ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/mailbox.c",
            "drivers/firmware/arm_scmi/shmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\n\nOn reception of a completion interrupt the shared memory area is accessed\nto retrieve the message header at first and then, if the message sequence\nnumber identifies a transaction which is still pending, the related\npayload is fetched too.\n\nWhen an SCMI command times out the channel ownership remains with the\nplatform until eventually a late reply is received and, as a consequence,\nany further transmission attempt remains pending, waiting for the channel\nto be relinquished by the platform.\n\nOnce that late reply is received the channel ownership is given back\nto the agent and any pending request is then allowed to proceed and\noverwrite the SMT area of the just delivered late reply; then the wait\nfor the reply to the new request starts.\n\nIt has been observed that the spurious IRQ related to the late reply can\nbe wrongly associated with the freshly enqueued request: when that happens\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\nmessage header now present in the SMT area is related to the new pending\ntransaction, even though the real reply has still to arrive.\n\nThis race-condition on the A2P channel can be detected by looking at the\nchannel status bits: a genuine reply from the platform will have set the\nchannel free bit before triggering the completion IRQ.\n\nAdd a consistency check to validate such condition in the A2P ISR."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:22:31.429Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda"
        },
        {
          "url": "https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306"
        }
      ],
      "title": "firmware: arm_scmi: Check mailbox/SMT channel for consistency",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52608",
    "datePublished": "2024-03-13T14:01:48.870Z",
    "dateReserved": "2024-03-02T21:55:42.574Z",
    "dateUpdated": "2024-12-19T08:22:31.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52608\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-13T14:15:07.240\",\"lastModified\":\"2024-11-21T08:40:11.287\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfirmware: arm_scmi: Check mailbox/SMT channel for consistency\\n\\nOn reception of a completion interrupt the shared memory area is accessed\\nto retrieve the message header at first and then, if the message sequence\\nnumber identifies a transaction which is still pending, the related\\npayload is fetched too.\\n\\nWhen an SCMI command times out the channel ownership remains with the\\nplatform until eventually a late reply is received and, as a consequence,\\nany further transmission attempt remains pending, waiting for the channel\\nto be relinquished by the platform.\\n\\nOnce that late reply is received the channel ownership is given back\\nto the agent and any pending request is then allowed to proceed and\\noverwrite the SMT area of the just delivered late reply; then the wait\\nfor the reply to the new request starts.\\n\\nIt has been observed that the spurious IRQ related to the late reply can\\nbe wrongly associated with the freshly enqueued request: when that happens\\nthe SCMI stack in-flight lookup procedure is fooled by the fact that the\\nmessage header now present in the SMT area is related to the new pending\\ntransaction, even though the real reply has still to arrive.\\n\\nThis race-condition on the A2P channel can be detected by looking at the\\nchannel status bits: a genuine reply from the platform will have set the\\nchannel free bit before triggering the completion IRQ.\\n\\nAdd a consistency check to validate such condition in the A2P ISR.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firmware: arm_scmi: comprueba la coherencia del buz\u00f3n/canal SMT Al recibir una interrupci\u00f3n de finalizaci\u00f3n, se accede al \u00e1rea de memoria compartida para recuperar el encabezado del mensaje al principio y luego, si el n\u00famero de secuencia del mensaje identifica una transacci\u00f3n que a\u00fan est\u00e1 pendiente, el payload relacionado tambi\u00e9n se recupera. Cuando se agota el tiempo de espera de un comando SCMI, la propiedad del canal permanece en la plataforma hasta que finalmente se recibe una respuesta tard\u00eda y, como consecuencia, cualquier intento de transmisi\u00f3n adicional permanece pendiente, esperando que la plataforma abandone el canal. Una vez que se recibe esa respuesta tard\u00eda, la propiedad del canal se devuelve al agente y cualquier solicitud pendiente puede continuar y sobrescribir el \u00e1rea SMT de la respuesta tard\u00eda reci\u00e9n entregada; luego comienza la espera de la respuesta a la nueva solicitud. Se ha observado que la IRQ espuria relacionada con la respuesta tard\u00eda puede asociarse err\u00f3neamente con la solicitud reci\u00e9n puesta en cola: cuando eso sucede, el procedimiento de b\u00fasqueda en curso de la pila SCMI se ve enga\u00f1ado por el hecho de que el encabezado del mensaje ahora presente en el \u00e1rea SMT es relacionado con la nueva transacci\u00f3n pendiente, aunque la respuesta real a\u00fan no ha llegado. Esta condici\u00f3n de ejecuci\u00f3n en el canal A2P se puede detectar observando los bits de estado del canal: una respuesta genuina de la plataforma habr\u00e1 configurado el bit libre del canal antes de activar la IRQ de finalizaci\u00f3n. Agregue una verificaci\u00f3n de coherencia para validar dicha condici\u00f3n en el ISR A2P.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/12dc4217f16551d6dee9cbefc23fdb5659558cda\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/437a310b22244d4e0b78665c3042e5d1c0f45306\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/614cc65032dcb0b64d23f5c5e338a8a04b12be5d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7f95f6997f4fdd17abec3200cae45420a5489350\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9b5e1b93c83ee5fc9f5d7bd2d45b421bd87774a2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.