CVE-2023-52473

thermal: core: Fix NULL pointer dereference in zone registration error path

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix NULL pointer dereference in zone registration error path If device_register() in thermal_zone_device_register_with_trips()
returns an error, the tz variable is set to NULL and subsequently
dereferenced in kfree(tz->tzp). Commit adc8749b150c ("thermal/drivers/core: Use put_device() if
device_register() fails") added the tz = NULL assignment in question to
avoid a possible double-free after dropping the reference to the zone
device. However, after commit 4649620d9404 ("thermal: core: Make
thermal_zone_device_unregister() return after freeing the zone"), that
assignment has become redundant, because dropping the reference to the
zone device does not cause the zone object to be freed any more. Drop it to address the NULL pointer dereference.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal: Core: corrige la desreferencia del puntero NULL en la ruta del error de registro de zona. Si device_register() en Thermal_zone_device_register_with_trips() devuelve un error, la variable tz se establece en NULL y posteriormente se desreferencia en kfree( tz->tzp). el commit adc8749b150c ("thermal/drivers/core: use put_device() si falla el dispositivo_register()") agregó la asignación tz = NULL en cuestión para evitar una posible doble liberación después de eliminar la referencia al dispositivo de zona. Sin embargo, después de el commit 4649620d9404 ("thermal: core: Make Thermal_zone_device_unregister() return después de liberar la zona"), esa asignación se ha vuelto redundante, porque eliminar la referencia al dispositivo de zona ya no causa que el objeto de zona se libere más. Suéltelo para abordar la desreferencia del puntero NULL.

is a security vulnerability in the Linux kernel, specifically within the thermal management subsystem. This vulnerability is a NULL pointer dereference that occurs in the thermal_zone_device_register_with_trips() function during the thermal zone registration error path. This issue can cause crashes and system instability.

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix NULL pointer dereference in zone registration error path If device_register() in thermal_zone_device_register_with_trips() returns an error, the tz variable is set to NULL and subsequently dereferenced in kfree(tz->tzp). Commit adc8749b150c ("thermal/drivers/core: Use put_device() if device_register() fails") added the tz = NULL assignment in question to avoid a possible double-free after dropping the reference to the zone device. However, after commit 4649620d9404 ("thermal: core: Make thermal_zone_device_unregister() return after freeing the zone"), that assignment has become redundant, because dropping the reference to the zone device does not cause the zone object to be freed any more. Drop it to address the NULL pointer dereference.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-25 CVE Published
2024-04-21 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/3d439b1a2ad36c8b4ea151c8de25309d60d17407	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/335176dd8ebaca6493807dceea33c478305667fa	2024-01-25
https://git.kernel.org/stable/c/02871710b93058eb1249d5847c0b2d1c2c3c98ae	2024-01-25
https://git.kernel.org/stable/c/04e6ccfc93c5a1aa1d75a537cf27e418895e20ea	2023-12-15

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52473	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2266363	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8"		en		Affected