CVE-2023-52515 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Do not call scsi_done() from srp_abort() After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: * Call scsi_queue_insert(). * Call scsi_finish_command(). * Call scsi_eh_scmd_add(). Hence, SCSI abort handlers must not call scsi_done(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsi_done() call from srp_abort(). Keep the srp_free_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc
https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a
https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206
https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5
https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb
https://lore.kernel.org/linux-cve-announce/2024030251-CVE-2023-52515-5af7@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52515
https://www.cve.org/CVERecord?id=CVE-2023-52515

History

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-03-02T21:52:25.863Z

Updated: 2024-11-04T14:48:21.993Z

Reserved: 2024-02-20T12:30:33.316Z

Link: CVE-2023-52515

Vulnrichment

Updated: 2024-08-02T23:03:20.699Z

NVD

Status : Awaiting Analysis

Published: 2024-03-02T22:15:47.823

Modified: 2024-03-04T13:58:23.447

Link: CVE-2023-52515

Redhat

Severity : Low

Publid Date: 2024-03-02T00:00:00Z

Links: CVE-2023-52515 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52515", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.316Z", "datePublished": "2024-03-02T21:52:25.863Z", "dateUpdated": "2024-11-04T14:48:21.993Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:21.993Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Do not call scsi_done() from srp_abort()\n\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/ulp/srp/ib_srp.c"], "versions": [{"version": "d8536670916a", "lessThan": "26788a5b48d9", "status": "affected", "versionType": "git"}, {"version": "d8536670916a", "lessThan": "b9bdffb3f9aa", "status": "affected", "versionType": "git"}, {"version": "d8536670916a", "lessThan": "2b298f918158", "status": "affected", "versionType": "git"}, {"version": "d8536670916a", "lessThan": "05a10b316ada", "status": "affected", "versionType": "git"}, {"version": "d8536670916a", "lessThan": "e193b7955dfa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/ulp/srp/ib_srp.c"], "versions": [{"version": "3.7", "status": "affected"}, {"version": "0", "lessThan": "3.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.199", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.136", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.57", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.7", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a"}, {"url": "https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5"}, {"url": "https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206"}, {"url": "https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc"}, {"url": "https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb"}], "title": "RDMA/srp: Do not call scsi_done() from srp_abort()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.699Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:56:46.822904Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:41.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.699Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:56:46.822904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.124Z"}}], "cna": {"title": "RDMA/srp: Do not call scsi_done() from srp_abort()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "d8536670916a", "lessThan": "26788a5b48d9", "versionType": "git"}, {"status": "affected", "version": "d8536670916a", "lessThan": "b9bdffb3f9aa", "versionType": "git"}, {"status": "affected", "version": "d8536670916a", "lessThan": "2b298f918158", "versionType": "git"}, {"status": "affected", "version": "d8536670916a", "lessThan": "05a10b316ada", "versionType": "git"}, {"status": "affected", "version": "d8536670916a", "lessThan": "e193b7955dfa", "versionType": "git"}], "programFiles": ["drivers/infiniband/ulp/srp/ib_srp.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.7"}, {"status": "unaffected", "version": "0", "lessThan": "3.7", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.199", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.136", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.57", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.7", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/infiniband/ulp/srp/ib_srp.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a"}, {"url": "https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5"}, {"url": "https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206"}, {"url": "https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc"}, {"url": "https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Do not call scsi_done() from srp_abort()\n\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:21.993Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52515", "state": "PUBLISHED", "dateUpdated": "2024-11-04T14:48:21.993Z", "dateReserved": "2024-02-20T12:30:33.316Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-02T21:52:25.863Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srp: Do not call scsi_done() from srp_abort()\n\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/srp: No llamar a scsi_done() desde srp_abort() Despu\u00e9s de que scmd_eh_abort_handler() haya llamado a la devoluci\u00f3n de llamada SCSI LLD eh_abort_handler, realiza una de las siguientes acciones: * Llamar a scsi_queue_insert( ). * Llame a scsi_finish_command(). * Llame a scsi_eh_scmd_add(). Por lo tanto, los controladores de abortos SCSI no deben llamar a scsi_done(). De lo contrario, todas las acciones anteriores desencadenar\u00edan un Use After Free. Por lo tanto, elimine la llamada scsi_done() de srp_abort(). Mantenga la llamada srp_free_req() antes de devolver SUCCESS porque es posible que no veamos el comando nuevamente si se devuelve SUCCESS."}], "id": "CVE-2023-52515", "lastModified": "2024-03-04T13:58:23.447", "metrics": {}, "published": "2024-03-02T22:15:47.823", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05a10b316adaac1f322007ca9a0383b410d759cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/26788a5b48d9d5cd3283d777d238631c8cd7495a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b298f9181582270d5e95774e5a6c7a7fb5b1206"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b9bdffb3f9aaeff8379c83f5449c6b42cb71c2b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e193b7955dfad68035b983a0011f4ef3590c85eb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: RDMA/srp: Do not call scsi_done() from srp_abort()", "id": "2267802", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267802"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nRDMA/srp: Do not call scsi_done() from srp_abort()\nAfter scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler\ncallback, it performs one of the following actions:\n* Call scsi_queue_insert().\n* Call scsi_finish_command().\n* Call scsi_eh_scmd_add().\nHence, SCSI abort handlers must not call scsi_done(). Otherwise all\nthe above actions would trigger a use-after-free. Hence remove the\nscsi_done() call from srp_abort(). Keep the srp_free_req() call\nbefore returning SUCCESS because we may not see the command again if\nSUCCESS is returned."], "name": "CVE-2023-52515", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52515\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52515\nhttps://lore.kernel.org/linux-cve-announce/2024030251-CVE-2023-52515-5af7@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 5.10.199, kernel 5.15.136, kernel 6.1.57, kernel 6.5.7, kernel 6.6"}