Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-53048

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
05/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpm: fix warning when handle discover_identity message<br /> <br /> Since both source and sink device can send discover_identity message in<br /> PD3, kernel may dump below warning:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0<br /> Modules linked in:<br /> CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567<br /> Hardware name: NXP i.MX8MPlus EVK board (DT)<br /> pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : tcpm_queue_vdm+0xe0/0xf0<br /> lr : tcpm_queue_vdm+0x2c/0xf0<br /> sp : ffff80000c19bcd0<br /> x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8<br /> x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081<br /> x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc<br /> x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff<br /> x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580<br /> x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001<br /> x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098<br /> x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004<br /> Call trace:<br /> tcpm_queue_vdm+0xe0/0xf0<br /> tcpm_pd_rx_handler+0x340/0x1ab0<br /> kthread_worker_fn+0xcc/0x18c<br /> kthread+0x10c/0x110<br /> ret_from_fork+0x10/0x20<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Below sequences may trigger this warning:<br /> <br /> tcpm_send_discover_work(work)<br /> tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);<br /> tcpm_queue_vdm(port, header, data, count);<br /> port-&gt;vdm_state = VDM_STATE_READY;<br /> <br /> vdm_state_machine_work(work);<br /> vdm_state = VDM_STATE_SEND_MESSAGE;<br /> mod_vdm_delayed_work(port, x);<br /> <br /> tcpm_pd_rx_handler(work);<br /> tcpm_pd_data_request(port, msg);<br /> tcpm_handle_vdm_request(port, msg-&gt;payload, cnt);<br /> tcpm_queue_vdm(port, response[0], &amp;response[1], rlen - 1);<br /> --&gt; WARN_ON(port-&gt;vdm_state &gt; VDM_STATE_DONE);<br /> <br /> For this case, the state machine could still send out discover<br /> identity message later if we skip current discover_identity message.<br /> So we should handle the received message firstly and override the pending<br /> discover_identity message without warning in this case. Then, a delayed<br /> send_discover work will send discover_identity message again.

Impact

References to Advisories, Solutions, and Tools