CVE-2023-54083

Root

Cause

The vulnerability resides in the Linux kernel's phy: tegra: xusb driver. For dual-role USB ports, the driver assigns the physical device (phy dev) to the usb-phy device and uses the port device's driver as the usb-phy device's driver. When the port device is destroyed, its device driver is also destroyed. However, the reference from the usb-phy device to that driver is not removed, leaving a dangling pointer.

Exploitation

Exploitation requires that a dual-role port (capable of acting as both host and device) be used and subsequently removed while the usb-phy device still holds a reference to the port device's driver. No special privileges are needed beyond the ability to trigger device removal (e.g., through hot-unplug, driver unbind, or system suspend/resume cycles). An attacker with physical access or control over the USB subsystem could potentially induce the vulnerable code path.

Impact

A use-after-free condition occurs when the stale driver reference is accessed after the port device has been destroyed. This can lead to memory corruption, a kernel crash (denial of service), or potentially arbitrary code execution in kernel context, as reported by KASAN [1].

Mitigation

The fix involves clearing the driver reference in the usb-phy device during port device teardown. Patches have been applied to the Linux kernel stable branches; users should update to a kernel version containing the commit that addresses CVE-2023-54083 [1][2][3].