CVE-2023-52505 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers The protocol converter configuration registers PCC8, PCCC, PCCD (implemented by the driver), as well as others, control protocol converters from multiple lanes (each represented as a different struct phy). So, if there are simultaneous calls to phy_set_mode_ext() to lanes sharing the same PCC register (either for the "old" or for the "new" protocol), corruption of the values programmed to hardware is possible, because lynx_28g_rmw() has no locking. Add a spinlock in the struct lynx_28g_priv shared by all lanes, and take the global spinlock from the phy_ops :: set_mode() implementation. There are no other callers which modify PCC registers.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce
https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb
https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e
https://lore.kernel.org/linux-cve-announce/2024030249-CVE-2023-52505-8ac5@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52505
https://www.cve.org/CVERecord?id=CVE-2023-52505

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-03-02T21:52:19.215Z

Updated: 2024-11-04T14:48:10.352Z

Reserved: 2024-02-20T12:30:33.314Z

Link: CVE-2023-52505

Vulnrichment

Updated: 2024-08-02T23:03:20.376Z

NVD

Status : Awaiting Analysis

Published: 2024-03-02T22:15:47.350

Modified: 2024-03-04T13:58:23.447

Link: CVE-2023-52505

Redhat

Severity : Low

Publid Date: 2024-03-02T00:00:00Z

Links: CVE-2023-52505 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52505", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.314Z", "datePublished": "2024-03-02T21:52:19.215Z", "dateUpdated": "2024-11-04T14:48:10.352Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:10.352Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/phy/freescale/phy-fsl-lynx-28g.c"], "versions": [{"version": "8f73b37cf3fb", "lessThan": "6f901f8448c6", "status": "affected", "versionType": "git"}, {"version": "8f73b37cf3fb", "lessThan": "c2d7c79898b4", "status": "affected", "versionType": "git"}, {"version": "8f73b37cf3fb", "lessThan": "139ad1143151", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/phy/freescale/phy-fsl-lynx-28g.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.59", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.8", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb"}, {"url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e"}, {"url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce"}], "title": "phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-11T15:02:00.830027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:17.026Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.376Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.376Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-11T15:02:00.830027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.700Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "8f73b37cf3fb", "lessThan": "6f901f8448c6", "versionType": "git"}, {"status": "affected", "version": "8f73b37cf3fb", "lessThan": "c2d7c79898b4", "versionType": "git"}, {"status": "affected", "version": "8f73b37cf3fb", "lessThan": "139ad1143151", "versionType": "git"}], "programFiles": ["drivers/phy/freescale/phy-fsl-lynx-28g.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.18"}, {"status": "unaffected", "version": "0", "lessThan": "5.18", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.59", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.8", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/phy/freescale/phy-fsl-lynx-28g.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb"}, {"url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e"}, {"url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:10.352Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52505", "state": "PUBLISHED", "dateUpdated": "2024-11-04T14:48:10.352Z", "dateReserved": "2024-02-20T12:30:33.314Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-02T21:52:19.215Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\n\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\n\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: phy: lynx-28g: serializa llamadas concurrentes phy_set_mode_ext() a registros compartidos La configuraci\u00f3n del convertidor de protocolo registra PCC8, PCCC, PCCD (implementado por el controlador), as\u00ed como otros, control convertidores de protocolo de m\u00faltiples carriles (cada uno representado como una estructura f\u00edsica diferente). Por lo tanto, si hay llamadas simult\u00e1neas a phy_set_mode_ext() a carriles que comparten el mismo registro PCC (ya sea para el protocolo \"antiguo\" o para el \"nuevo\"), es posible que se da\u00f1en los valores programados en el hardware, porque lynx_28g_rmw() no tiene cierre. Agregue un spinlock en la estructura lynx_28g_priv compartida por todos los carriles y tome el spinlock global de la implementaci\u00f3n phy_ops :: set_mode(). No hay otros llamantes que modifiquen los registros PCC."}], "id": "CVE-2023-52505", "lastModified": "2024-03-04T13:58:23.447", "metrics": {}, "published": "2024-03-02T22:15:47.350", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/139ad1143151a07be93bf741d4ea7c89e59f89ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f901f8448c6b25ed843796b114471d2a3fc5dfb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c2d7c79898b427d263c64a4841987eec131f2d4e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers", "id": "2267778", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267778"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-414", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nphy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers\nThe protocol converter configuration registers PCC8, PCCC, PCCD\n(implemented by the driver), as well as others, control protocol\nconverters from multiple lanes (each represented as a different\nstruct phy). So, if there are simultaneous calls to phy_set_mode_ext()\nto lanes sharing the same PCC register (either for the \"old\" or for the\n\"new\" protocol), corruption of the values programmed to hardware is\npossible, because lynx_28g_rmw() has no locking.\nAdd a spinlock in the struct lynx_28g_priv shared by all lanes, and take\nthe global spinlock from the phy_ops :: set_mode() implementation. There\nare no other callers which modify PCC registers."], "name": "CVE-2023-52505", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52505\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52505\nhttps://lore.kernel.org/linux-cve-announce/2024030249-CVE-2023-52505-8ac5@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 6.1.59, kernel 6.5.8, kernel 6.6"}