{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52517", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.317Z", "datePublished": "2024-03-02T21:52:27.152Z", "dateUpdated": "2025-05-04T07:38:25.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:38:25.175Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-sun6i.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "36b29974a7ad2ff604c24ad348f940506c7b1209", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4e149d524678431638ff378ef6025e4e89b71097", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1f11f4202caf5710204d334fe63392052783876d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/spi/spi-sun6i.c"], "versions": [{"version": "5.15.134", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.56", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.6", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"}, {"url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"}, {"url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"}, {"url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"}], "title": "spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.853Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:56:43.553628Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:40.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.853Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:56:43.553628Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:18.065Z"}}], "cna": {"title": "spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "36b29974a7ad2ff604c24ad348f940506c7b1209", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "4e149d524678431638ff378ef6025e4e89b71097", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1f11f4202caf5710204d334fe63392052783876d", "versionType": "git"}], "programFiles": ["drivers/spi/spi-sun6i.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.15.134", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.56", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.6", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/spi/spi-sun6i.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"}, {"url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"}, {"url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"}, {"url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.134"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.56"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.5.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:38:25.175Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52517", "state": "PUBLISHED", "dateUpdated": "2025-05-04T07:38:25.175Z", "dateReserved": "2024-02-20T12:30:33.317Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-02T21:52:27.152Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC2BFB97-FE0F-4C79-9818-2EDA2532E918", "versionEndExcluding": "5.15.134", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EA89569-DD45-4A69-BB4D-8356FA9386BD", "versionEndExcluding": "6.1.56", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "870FC772-173A-4A0F-B1AF-7976AD6057D3", "versionEndExcluding": "6.5.6", "versionStartIncluding": "6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: spi: sun6i: corrigi\u00f3 la ejecuci\u00f3n entre la finalizaci\u00f3n de la transferencia DMA RX y el drenaje FIFO RX Anteriormente, la IRQ completa de la transferencia se drenaba inmediatamente a RX FIFO para leer cualquier dato restante en FIFO al b\u00fafer RX. Este comportamiento es correcto cuando se trata de SPI en modo de interrupci\u00f3n. Sin embargo, en el modo DMA, la interrupci\u00f3n de transferencia completa a\u00fan se activa tan pronto como todos los bytes a transferir se hayan almacenado en el FIFO. En ese momento, el motor DMA todav\u00eda debe recoger los datos del FIFO. Por lo tanto, el procedimiento de drenaje y el motor DMA terminan corriendo para leer desde RX FIFO, corrompiendo cualquier lectura de datos. Adem\u00e1s, el puntero del b\u00fafer RX nunca se ajusta seg\u00fan el progreso de DMA en modo DMA, por lo que llamar al procedimiento de drenaje FIFO de RX en modo DMA es un error. Corrija corrupciones en el modo DMA RX drenando RX FIFO solo en modo de interrupci\u00f3n. Espere tambi\u00e9n a que se complete RX DMA cuando est\u00e9 en modo DMA antes de regresar para asegurarse de que todos los datos se hayan copiado en el b\u00fafer de memoria suministrado."}], "id": "CVE-2023-52517", "lastModified": "2025-01-13T18:54:30.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-02T22:15:47.923", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain", "id": "2267800", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267800"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer.", "A flaw was found in the spi-sun6i module in the Linux kernel. A race condition between the drain procedure and the DMA engine can corrupt any data read."], "name": "CVE-2023-52517", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52517\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52517\nhttps://lore.kernel.org/linux-cve-announce/2024030252-CVE-2023-52517-30dc@gregkh/T/#u"], "statement": "The spi-sun6i module is not built in the kernel shipped in Red Hat Enterprise Linux, so it is not affected by this vulnerability.", "threat_severity": "Moderate"}

{}