CVE-2023-53803

What the vulnerability is

In the Linux kernel's SCSI Enclosure Services (SES) driver, the function ses_enclosure_data_process() contains a slab-out-of-bounds read flaw. The KASAN report indicates a read of size 1 at an out-of-bounds address addr ffff88a1b043a451. The root cause is that the code does not properly verify that the additional descriptor pointer (addl_desc_ptr[1]) is within the allocated page boundary before accessing it. The fix ensures that the size is sanitized before the first access to addl_desc_ptr[1] and that the loop does not walk beyond the end of the page [1][2][3].

How it is exploited

An attacker with physical access or the ability to provide a maliciously crafted SES page (e.g., via a specially crafted SCSI enclosure) could trigger this bug. The vulnerability is reachable during normal system operation when udev processes enclosure events. No special privileges beyond the ability to supply the SES data are required, but the attacker must control the enclosure device to supply malformed descriptor data that causes the driver to read beyond the allocated buffer [1][2][3].

Impact

A successful exploit can cause a kernel crash (denial of service) due to an out-of-bounds memory read. In some cases, the out-of-bounds access might be leveraged further to leak sensitive kernel memory or potentially achieve code execution, though the provided references focus on the crash potential [1][2][3].

Mitigation status

The fix has been incorporated into the Linux kernel stable tree as commits visible in references [1], [2], and [3]. Systems should apply the latest kernel updates or backport the patch to prevent exploitation. No workaround is mentioned by the vendor [1][2][3].