CVE-2023-53851 (GCVE-0-2023-53851)

Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destroyed and recreated upon next attempt. But the struct device which the devres is tied to is the DPUs (drm_dev->dev), which may be happen after the DP controller is torn down. Indications of this can be seen in the commonly seen EDID-hexdump full of zeros in the log, or the occasional/rare KASAN fault where the panel's attempt to read the EDID information causes a use after free on DP resources. It's tempting to move the devres to the DP controller's struct device, but the resources used by the device(s) on the aux bus are explicitly torn down in the error path. The KASAN-reported use-after-free also remains, as the DP aux "module" explicitly frees its devres-allocated memory in this code path. As such, explicitly depopulate the aux bus in the error path, and in the component unbind path, to avoid these issues. Patchwork: https://patchwork.freedesktop.org/patch/542163/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < e09ed06938807cb113cddd0708ed74bd8cdaff33 (git)
Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < 2fde37445807e6e6d7981402d0bf1be0e5d81291 (git)
Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d (git)
Affected: 8768663188e4169333f66583e4d2432e65c421df (git)
Create a notification for this product.
    Linux Linux Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.3.13 , ≤ 6.3.* (semver)
Unaffected: 6.4.4 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/dp/dp_display.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e09ed06938807cb113cddd0708ed74bd8cdaff33",
              "status": "affected",
              "version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
              "versionType": "git"
            },
            {
              "lessThan": "2fde37445807e6e6d7981402d0bf1be0e5d81291",
              "status": "affected",
              "version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
              "versionType": "git"
            },
            {
              "lessThan": "a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d",
              "status": "affected",
              "version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8768663188e4169333f66583e4d2432e65c421df",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/dp/dp_display.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.13",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.4",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Drop aux devices together with DP controller\n\nUsing devres to depopulate the aux bus made sure that upon a probe\ndeferral the EDP panel device would be destroyed and recreated upon next\nattempt.\n\nBut the struct device which the devres is tied to is the DPUs\n(drm_dev-\u003edev), which may be happen after the DP controller is torn\ndown.\n\nIndications of this can be seen in the commonly seen EDID-hexdump full\nof zeros in the log, or the occasional/rare KASAN fault where the\npanel\u0027s attempt to read the EDID information causes a use after free on\nDP resources.\n\nIt\u0027s tempting to move the devres to the DP controller\u0027s struct device,\nbut the resources used by the device(s) on the aux bus are explicitly\ntorn down in the error path. The KASAN-reported use-after-free also\nremains, as the DP aux \"module\" explicitly frees its devres-allocated\nmemory in this code path.\n\nAs such, explicitly depopulate the aux bus in the error path, and in the\ncomponent unbind path, to avoid these issues.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542163/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:30:16.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d"
        }
      ],
      "title": "drm/msm/dp: Drop aux devices together with DP controller",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53851",
    "datePublished": "2025-12-09T01:30:16.081Z",
    "dateReserved": "2025-12-09T01:27:17.827Z",
    "dateUpdated": "2025-12-09T01:30:16.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53851\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T16:17:25.670\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dp: Drop aux devices together with DP controller\\n\\nUsing devres to depopulate the aux bus made sure that upon a probe\\ndeferral the EDP panel device would be destroyed and recreated upon next\\nattempt.\\n\\nBut the struct device which the devres is tied to is the DPUs\\n(drm_dev-\u003edev), which may be happen after the DP controller is torn\\ndown.\\n\\nIndications of this can be seen in the commonly seen EDID-hexdump full\\nof zeros in the log, or the occasional/rare KASAN fault where the\\npanel\u0027s attempt to read the EDID information causes a use after free on\\nDP resources.\\n\\nIt\u0027s tempting to move the devres to the DP controller\u0027s struct device,\\nbut the resources used by the device(s) on the aux bus are explicitly\\ntorn down in the error path. The KASAN-reported use-after-free also\\nremains, as the DP aux \\\"module\\\" explicitly frees its devres-allocated\\nmemory in this code path.\\n\\nAs such, explicitly depopulate the aux bus in the error path, and in the\\ncomponent unbind path, to avoid these issues.\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/542163/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.