CVE-2023-53431 (GCVE-0-2023-53431)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-10-02 07:04
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Handle enclosure with just a primary component gracefully This reverts commit 3fe97ff3d949 ("scsi: ses: Don't attach if enclosure has no components") and introduces proper handling of case where there are no detected secondary components, but primary component (enumerated in num_enclosures) does exist. That fix was originally proposed by Ding Hui <dinghui@sangfor.com.cn>. Completely ignoring devices that have one primary enclosure and no secondary one results in ses_intf_add() bailing completely scsi 2:0:0:254: enclosure has no enumerated components scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such even on valid configurations with 1 primary and 0 secondary enclosures as below: # sg_ses /dev/sg0 3PARdata SES 3321 Supported diagnostic pages: Supported Diagnostic Pages [sdp] [0x0] Configuration (SES) [cf] [0x1] Short Enclosure Status (SES) [ses] [0x8] # sg_ses -p cf /dev/sg0 3PARdata SES 3321 Configuration diagnostic page: number of secondary subenclosures: 0 generation code: 0x0 enclosure descriptor list Subenclosure identifier: 0 [primary] relative ES process id: 0, number of ES processes: 1 number of type descriptor headers: 1 enclosure logical identifier (hex): 20000002ac02068d enclosure vendor: 3PARdata product: VV rev: 3321 type descriptor header and text list Element type: Unspecified, subenclosure id: 0 number of possible elements: 1 The changelog for the original fix follows ===== We can get a crash when disconnecting the iSCSI session, the call trace like this: [ffff00002a00fb70] kfree at ffff00000830e224 [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4 [ffff00002a00fbd0] device_del at ffff0000086b6a98 [ffff00002a00fc50] device_unregister at ffff0000086b6d58 [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c [ffff00002a00fca0] scsi_remove_device at ffff000008706134 [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4 [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0 [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4 [ffff00002a00fdb0] process_one_work at ffff00000810f35c [ffff00002a00fe00] worker_thread at ffff00000810f648 [ffff00002a00fe70] kthread at ffff000008116e98 In ses_intf_add, components count could be 0, and kcalloc 0 size scomp, but not saved in edev->component[i].scratch In this situation, edev->component[0].scratch is an invalid pointer, when kfree it in ses_intf_remove_enclosure, a crash like above would happen The call trace also could be other random cases when kfree cannot catch the invalid pointer We should not use edev->component[] array when the components count is 0 We also need check index when use edev->component[] array in ses_enclosure_data_process =====
Impacted products
Vendor Product Version
Linux Linux Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Version: 9927c68864e9c39cc317b4f559309ba29e642168
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/ses.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4e7c498c3713b09bef20c76c7319555637e8bbd5",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "110d425cdfb15006f3c4fde5264e786a247b6b36",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "176d7345b89ced72020a313bfa4e7f345d1c3aed",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "05143d90ac90b7abc6692285895a1ef460e008ee",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "f8e702c54413eee2d8f94f61d18adadac7c87e87",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "eabc4872f172ecb8dd8536bc366a51868154a450",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            },
            {
              "lessThan": "c8e22b7a1694bb8d025ea636816472739d859145",
              "status": "affected",
              "version": "9927c68864e9c39cc317b4f559309ba29e642168",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/ses.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.281",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.108",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.281",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.241",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.178",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.108",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.25",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.12",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary component gracefully\n\nThis reverts commit 3fe97ff3d949 (\"scsi: ses: Don\u0027t attach if enclosure\nhas no components\") and introduces proper handling of case where there are\nno detected secondary components, but primary component (enumerated in\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\n\u003cdinghui@sangfor.com.cn\u003e.\n\nCompletely ignoring devices that have one primary enclosure and no\nsecondary one results in ses_intf_add() bailing completely\n\n\tscsi 2:0:0:254: enclosure has no enumerated components\n        scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\n\neven on valid configurations with 1 primary and 0 secondary enclosures as\nbelow:\n\n\t# sg_ses /dev/sg0\n\t  3PARdata  SES               3321\n\tSupported diagnostic pages:\n\t  Supported Diagnostic Pages [sdp] [0x0]\n\t  Configuration (SES) [cf] [0x1]\n\t  Short Enclosure Status (SES) [ses] [0x8]\n\t# sg_ses -p cf /dev/sg0\n\t  3PARdata  SES               3321\n\tConfiguration diagnostic page:\n\t  number of secondary subenclosures: 0\n\t  generation code: 0x0\n\t  enclosure descriptor list\n\t    Subenclosure identifier: 0 [primary]\n\t      relative ES process id: 0, number of ES processes: 1\n\t      number of type descriptor headers: 1\n\t      enclosure logical identifier (hex): 20000002ac02068d\n\t      enclosure vendor: 3PARdata  product: VV                rev: 3321\n\t  type descriptor header and text list\n\t    Element type: Unspecified, subenclosure id: 0\n\t      number of possible elements: 1\n\nThe changelog for the original fix follows\n\n=====\nWe can get a crash when disconnecting the iSCSI session,\nthe call trace like this:\n\n  [ffff00002a00fb70] kfree at ffff00000830e224\n  [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\n  [ffff00002a00fbd0] device_del at ffff0000086b6a98\n  [ffff00002a00fc50] device_unregister at ffff0000086b6d58\n  [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\n  [ffff00002a00fca0] scsi_remove_device at ffff000008706134\n  [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\n  [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\n  [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\n  [ffff00002a00fdb0] process_one_work at ffff00000810f35c\n  [ffff00002a00fe00] worker_thread at ffff00000810f648\n  [ffff00002a00fe70] kthread at ffff000008116e98\n\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\nbut not saved in edev-\u003ecomponent[i].scratch\n\nIn this situation, edev-\u003ecomponent[0].scratch is an invalid pointer,\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\nThe call trace also could be other random cases when kfree cannot catch\nthe invalid pointer\n\nWe should not use edev-\u003ecomponent[] array when the components count is 0\nWe also need check index when use edev-\u003ecomponent[] array in\nses_enclosure_data_process\n====="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-02T07:04:20.059Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36"
        },
        {
          "url": "https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed"
        },
        {
          "url": "https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87"
        },
        {
          "url": "https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145"
        }
      ],
      "title": "scsi: ses: Handle enclosure with just a primary component gracefully",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53431",
    "datePublished": "2025-09-18T16:04:11.748Z",
    "dateReserved": "2025-09-17T14:54:09.745Z",
    "dateUpdated": "2025-10-02T07:04:20.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53431\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-18T16:15:47.070\",\"lastModified\":\"2025-10-01T08:15:30.747\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: ses: Handle enclosure with just a primary component gracefully\\n\\nThis reverts commit 3fe97ff3d949 (\\\"scsi: ses: Don\u0027t attach if enclosure\\nhas no components\\\") and introduces proper handling of case where there are\\nno detected secondary components, but primary component (enumerated in\\nnum_enclosures) does exist. That fix was originally proposed by Ding Hui\\n\u003cdinghui@sangfor.com.cn\u003e.\\n\\nCompletely ignoring devices that have one primary enclosure and no\\nsecondary one results in ses_intf_add() bailing completely\\n\\n\\tscsi 2:0:0:254: enclosure has no enumerated components\\n        scsi 2:0:0:254: Failed to bind enclosure -12ven in valid configurations such\\n\\neven on valid configurations with 1 primary and 0 secondary enclosures as\\nbelow:\\n\\n\\t# sg_ses /dev/sg0\\n\\t  3PARdata  SES               3321\\n\\tSupported diagnostic pages:\\n\\t  Supported Diagnostic Pages [sdp] [0x0]\\n\\t  Configuration (SES) [cf] [0x1]\\n\\t  Short Enclosure Status (SES) [ses] [0x8]\\n\\t# sg_ses -p cf /dev/sg0\\n\\t  3PARdata  SES               3321\\n\\tConfiguration diagnostic page:\\n\\t  number of secondary subenclosures: 0\\n\\t  generation code: 0x0\\n\\t  enclosure descriptor list\\n\\t    Subenclosure identifier: 0 [primary]\\n\\t      relative ES process id: 0, number of ES processes: 1\\n\\t      number of type descriptor headers: 1\\n\\t      enclosure logical identifier (hex): 20000002ac02068d\\n\\t      enclosure vendor: 3PARdata  product: VV                rev: 3321\\n\\t  type descriptor header and text list\\n\\t    Element type: Unspecified, subenclosure id: 0\\n\\t      number of possible elements: 1\\n\\nThe changelog for the original fix follows\\n\\n=====\\nWe can get a crash when disconnecting the iSCSI session,\\nthe call trace like this:\\n\\n  [ffff00002a00fb70] kfree at ffff00000830e224\\n  [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4\\n  [ffff00002a00fbd0] device_del at ffff0000086b6a98\\n  [ffff00002a00fc50] device_unregister at ffff0000086b6d58\\n  [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c\\n  [ffff00002a00fca0] scsi_remove_device at ffff000008706134\\n  [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4\\n  [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0\\n  [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4\\n  [ffff00002a00fdb0] process_one_work at ffff00000810f35c\\n  [ffff00002a00fe00] worker_thread at ffff00000810f648\\n  [ffff00002a00fe70] kthread at ffff000008116e98\\n\\nIn ses_intf_add, components count could be 0, and kcalloc 0 size scomp,\\nbut not saved in edev-\u003ecomponent[i].scratch\\n\\nIn this situation, edev-\u003ecomponent[0].scratch is an invalid pointer,\\nwhen kfree it in ses_intf_remove_enclosure, a crash like above would happen\\nThe call trace also could be other random cases when kfree cannot catch\\nthe invalid pointer\\n\\nWe should not use edev-\u003ecomponent[] array when the components count is 0\\nWe also need check index when use edev-\u003ecomponent[] array in\\nses_enclosure_data_process\\n=====\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/05143d90ac90b7abc6692285895a1ef460e008ee\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/110d425cdfb15006f3c4fde5264e786a247b6b36\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/176d7345b89ced72020a313bfa4e7f345d1c3aed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4e7c498c3713b09bef20c76c7319555637e8bbd5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c8e22b7a1694bb8d025ea636816472739d859145\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eabc4872f172ecb8dd8536bc366a51868154a450\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f8e702c54413eee2d8f94f61d18adadac7c87e87\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…