CVE-2023-52463 (GCVE-0-2023-52463)

Vulnerability from cvelistv5 – Published: 2024-02-23 14:46 – Updated: 2025-05-04 12:49
VLAI?
Title
efivarfs: force RO when remounting if SetVariable is not supported
Summary
In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assign a callback for that function. At the same time mount the efivarfs as RO so no one can call that. However, we never check the permission flags when someone remounts the filesystem as RW. As a result this leads to a crash looking like this: $ mount -o remount,rw /sys/firmware/efi/efivars $ efi-updatevar -f PK.auth PK [ 303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 303.280482] Mem abort info: [ 303.280854] ESR = 0x0000000086000004 [ 303.281338] EC = 0x21: IABT (current EL), IL = 32 bits [ 303.282016] SET = 0, FnV = 0 [ 303.282414] EA = 0, S1PTW = 0 [ 303.282821] FSC = 0x04: level 0 translation fault [ 303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000 [ 303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP [ 303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6 [ 303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1 [ 303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023 [ 303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 303.292123] pc : 0x0 [ 303.292443] lr : efivar_set_variable_locked+0x74/0xec [ 303.293156] sp : ffff800008673c10 [ 303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000 [ 303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027 [ 303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000 [ 303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000 [ 303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54 [ 303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4 [ 303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002 [ 303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201 [ 303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc [ 303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000 [ 303.303341] Call trace: [ 303.303679] 0x0 [ 303.303938] efivar_entry_set_get_size+0x98/0x16c [ 303.304585] efivarfs_file_write+0xd0/0x1a4 [ 303.305148] vfs_write+0xc4/0x2e4 [ 303.305601] ksys_write+0x70/0x104 [ 303.306073] __arm64_sys_write+0x1c/0x28 [ 303.306622] invoke_syscall+0x48/0x114 [ 303.307156] el0_svc_common.constprop.0+0x44/0xec [ 303.307803] do_el0_svc+0x38/0x98 [ 303.308268] el0_svc+0x2c/0x84 [ 303.308702] el0t_64_sync_handler+0xf4/0x120 [ 303.309293] el0t_64_sync+0x190/0x194 [ 303.309794] Code: ???????? ???????? ???????? ???????? (????????) [ 303.310612] ---[ end trace 0000000000000000 ]--- Fix this by adding a .reconfigure() function to the fs operations which we can use to check the requested flags and deny anything that's not RO if the firmware doesn't implement SetVariable at runtime.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f88814cc2578c121e6edef686365036db72af0ed , < 94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8 (git)
Affected: f88814cc2578c121e6edef686365036db72af0ed , < 2aa141f8bc580f8f9811dfe4e0e6009812b73826 (git)
Affected: f88814cc2578c121e6edef686365036db72af0ed , < d4a9aa7db574a0da64307729cc031fb68597aa8b (git)
Affected: f88814cc2578c121e6edef686365036db72af0ed , < 0049fe7e4a85849bdd778cdb72e51a791ff3d737 (git)
Affected: f88814cc2578c121e6edef686365036db72af0ed , < d4a714873db0866cc471521114eeac4a5072d548 (git)
Affected: f88814cc2578c121e6edef686365036db72af0ed , < 0e8d2444168dd519fea501599d150e62718ed2fe (git)
Affected: 552952e51fad35670459674bcb8a03bd96fe4646 (git)
Create a notification for this product.
    Linux Linux Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.209 , ≤ 5.10.* (semver)
Unaffected: 5.15.148 , ≤ 5.15.* (semver)
Unaffected: 6.1.75 , ≤ 6.1.* (semver)
Unaffected: 6.6.14 , ≤ 6.6.* (semver)
Unaffected: 6.7.2 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52463",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-04T20:59:53.029082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:24.597Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:19.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "lessThan": "2aa141f8bc580f8f9811dfe4e0e6009812b73826",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "lessThan": "d4a9aa7db574a0da64307729cc031fb68597aa8b",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "lessThan": "0049fe7e4a85849bdd778cdb72e51a791ff3d737",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "lessThan": "d4a714873db0866cc471521114eeac4a5072d548",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "lessThan": "0e8d2444168dd519fea501599d150e62718ed2fe",
              "status": "affected",
              "version": "f88814cc2578c121e6edef686365036db72af0ed",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "552952e51fad35670459674bcb8a03bd96fe4646",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/efivarfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.209",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.148",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.75",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.14",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.2",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.7.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: force RO when remounting if SetVariable is not supported\n\nIf SetVariable at runtime is not supported by the firmware we never assign\na callback for that function. At the same time mount the efivarfs as\nRO so no one can call that.  However, we never check the permission flags\nwhen someone remounts the filesystem as RW. As a result this leads to a\ncrash looking like this:\n\n$ mount -o remount,rw /sys/firmware/efi/efivars\n$ efi-updatevar -f PK.auth PK\n\n[  303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[  303.280482] Mem abort info:\n[  303.280854]   ESR = 0x0000000086000004\n[  303.281338]   EC = 0x21: IABT (current EL), IL = 32 bits\n[  303.282016]   SET = 0, FnV = 0\n[  303.282414]   EA = 0, S1PTW = 0\n[  303.282821]   FSC = 0x04: level 0 translation fault\n[  303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\n[  303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n[  303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\n[  303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\n[  303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\n[  303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  303.292123] pc : 0x0\n[  303.292443] lr : efivar_set_variable_locked+0x74/0xec\n[  303.293156] sp : ffff800008673c10\n[  303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\n[  303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\n[  303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\n[  303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\n[  303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\n[  303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\n[  303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\n[  303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\n[  303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\n[  303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\n[  303.303341] Call trace:\n[  303.303679]  0x0\n[  303.303938]  efivar_entry_set_get_size+0x98/0x16c\n[  303.304585]  efivarfs_file_write+0xd0/0x1a4\n[  303.305148]  vfs_write+0xc4/0x2e4\n[  303.305601]  ksys_write+0x70/0x104\n[  303.306073]  __arm64_sys_write+0x1c/0x28\n[  303.306622]  invoke_syscall+0x48/0x114\n[  303.307156]  el0_svc_common.constprop.0+0x44/0xec\n[  303.307803]  do_el0_svc+0x38/0x98\n[  303.308268]  el0_svc+0x2c/0x84\n[  303.308702]  el0t_64_sync_handler+0xf4/0x120\n[  303.309293]  el0t_64_sync+0x190/0x194\n[  303.309794] Code: ???????? ???????? ???????? ???????? (????????)\n[  303.310612] ---[ end trace 0000000000000000 ]---\n\nFix this by adding a .reconfigure() function to the fs operations which\nwe can use to check the requested flags and deny anything that\u0027s not RO\nif the firmware doesn\u0027t implement SetVariable at runtime."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:49:04.560Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe"
        }
      ],
      "title": "efivarfs: force RO when remounting if SetVariable is not supported",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52463",
    "datePublished": "2024-02-23T14:46:23.537Z",
    "dateReserved": "2024-02-20T12:30:33.296Z",
    "dateUpdated": "2025-05-04T12:49:04.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:19.782Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52463\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-04T20:59:53.029082Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:14.915Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"efivarfs: force RO when remounting if SetVariable is not supported\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"2aa141f8bc580f8f9811dfe4e0e6009812b73826\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"d4a9aa7db574a0da64307729cc031fb68597aa8b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"0049fe7e4a85849bdd778cdb72e51a791ff3d737\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"d4a714873db0866cc471521114eeac4a5072d548\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f88814cc2578c121e6edef686365036db72af0ed\", \"lessThan\": \"0e8d2444168dd519fea501599d150e62718ed2fe\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"552952e51fad35670459674bcb8a03bd96fe4646\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/efivarfs/super.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.209\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.148\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.75\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/efivarfs/super.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/94c742324ed7e42c5bd6a9ed22e4ec6d764db4d8\"}, {\"url\": \"https://git.kernel.org/stable/c/2aa141f8bc580f8f9811dfe4e0e6009812b73826\"}, {\"url\": \"https://git.kernel.org/stable/c/d4a9aa7db574a0da64307729cc031fb68597aa8b\"}, {\"url\": \"https://git.kernel.org/stable/c/0049fe7e4a85849bdd778cdb72e51a791ff3d737\"}, {\"url\": \"https://git.kernel.org/stable/c/d4a714873db0866cc471521114eeac4a5072d548\"}, {\"url\": \"https://git.kernel.org/stable/c/0e8d2444168dd519fea501599d150e62718ed2fe\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nefivarfs: force RO when remounting if SetVariable is not supported\\n\\nIf SetVariable at runtime is not supported by the firmware we never assign\\na callback for that function. At the same time mount the efivarfs as\\nRO so no one can call that.  However, we never check the permission flags\\nwhen someone remounts the filesystem as RW. As a result this leads to a\\ncrash looking like this:\\n\\n$ mount -o remount,rw /sys/firmware/efi/efivars\\n$ efi-updatevar -f PK.auth PK\\n\\n[  303.279166] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\n[  303.280482] Mem abort info:\\n[  303.280854]   ESR = 0x0000000086000004\\n[  303.281338]   EC = 0x21: IABT (current EL), IL = 32 bits\\n[  303.282016]   SET = 0, FnV = 0\\n[  303.282414]   EA = 0, S1PTW = 0\\n[  303.282821]   FSC = 0x04: level 0 translation fault\\n[  303.283771] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004258c000\\n[  303.284913] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\\n[  303.286076] Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\\n[  303.286936] Modules linked in: qrtr tpm_tis tpm_tis_core crct10dif_ce arm_smccc_trng rng_core drm fuse ip_tables x_tables ipv6\\n[  303.288586] CPU: 1 PID: 755 Comm: efi-updatevar Not tainted 6.3.0-rc1-00108-gc7d0c4695c68 #1\\n[  303.289748] Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04-00627-g88336918701d 04/01/2023\\n[  303.291150] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[  303.292123] pc : 0x0\\n[  303.292443] lr : efivar_set_variable_locked+0x74/0xec\\n[  303.293156] sp : ffff800008673c10\\n[  303.293619] x29: ffff800008673c10 x28: ffff0000037e8000 x27: 0000000000000000\\n[  303.294592] x26: 0000000000000800 x25: ffff000002467400 x24: 0000000000000027\\n[  303.295572] x23: ffffd49ea9832000 x22: ffff0000020c9800 x21: ffff000002467000\\n[  303.296566] x20: 0000000000000001 x19: 00000000000007fc x18: 0000000000000000\\n[  303.297531] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaac807ab54\\n[  303.298495] x14: ed37489f673633c0 x13: 71c45c606de13f80 x12: 47464259e219acf4\\n[  303.299453] x11: ffff000002af7b01 x10: 0000000000000003 x9 : 0000000000000002\\n[  303.300431] x8 : 0000000000000010 x7 : ffffd49ea8973230 x6 : 0000000000a85201\\n[  303.301412] x5 : 0000000000000000 x4 : ffff0000020c9800 x3 : 00000000000007fc\\n[  303.302370] x2 : 0000000000000027 x1 : ffff000002467400 x0 : ffff000002467000\\n[  303.303341] Call trace:\\n[  303.303679]  0x0\\n[  303.303938]  efivar_entry_set_get_size+0x98/0x16c\\n[  303.304585]  efivarfs_file_write+0xd0/0x1a4\\n[  303.305148]  vfs_write+0xc4/0x2e4\\n[  303.305601]  ksys_write+0x70/0x104\\n[  303.306073]  __arm64_sys_write+0x1c/0x28\\n[  303.306622]  invoke_syscall+0x48/0x114\\n[  303.307156]  el0_svc_common.constprop.0+0x44/0xec\\n[  303.307803]  do_el0_svc+0x38/0x98\\n[  303.308268]  el0_svc+0x2c/0x84\\n[  303.308702]  el0t_64_sync_handler+0xf4/0x120\\n[  303.309293]  el0t_64_sync+0x190/0x194\\n[  303.309794] Code: ???????? ???????? ???????? ???????? (????????)\\n[  303.310612] ---[ end trace 0000000000000000 ]---\\n\\nFix this by adding a .reconfigure() function to the fs operations which\\nwe can use to check the requested flags and deny anything that\u0027s not RO\\nif the firmware doesn\u0027t implement SetVariable at runtime.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.209\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.148\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.75\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.14\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.2\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"5.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.7.11\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:49:04.560Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52463\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T12:49:04.560Z\", \"dateReserved\": \"2024-02-20T12:30:33.296Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-23T14:46:23.537Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.