CVE-2023-52492

dmaengine: fix NULL pointer in channel unregistration function

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: fix NULL pointer in channel unregistration function

__dma_async_device_channel_register() can fail. In case of failure,
chan->local is freed (with free_percpu()), and chan->local is nullified.
When dma_async_device_unregister() is called (because of managed API or
intentionally by DMA controller driver), channels are unconditionally
unregistered, leading to this NULL pointer:
[ 1.318693] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0
[...]
[ 1.484499] Call trace:
[ 1.486930] device_del+0x40/0x394
[ 1.490314] device_unregister+0x20/0x7c
[ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0

Look at dma_async_device_register() function error path, channel device
unregistration is done only if chan->local is not NULL.

Then add the same condition at the beginning of
__dma_async_device_channel_unregister() function, to avoid NULL pointer
issue whatever the API used to reach this function.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: dmaengine: corrige el puntero NULL en la función de cancelación del registro del canal __dma_async_device_channel_register() puede fallar. En caso de falla, chan->local se libera (con free_percpu()) y chan->local se anula. Cuando se llama a dma_async_device_unregister() (debido a una API administrada o intencionalmente por el controlador del controlador DMA), los canales se anulan incondicionalmente, lo que lleva a este puntero NULL: [1.318693] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 00000000000000d0 [...] [ 1.484499] Seguimiento de llamadas: [ 1.486930] device_del+0x40/0x394 [ 1.490314] device_unregister+0x20/0x7c [ 1.494220] __dma_async_device_channel_unregister+0x68/0xc0 Mire la ruta de error de la función dma_async_device_register(), cancelación del registro del dispositivo La ración se realiza sólo si chan->local es no nulo. Luego agregue la misma condición al comienzo de la función __dma_async_device_channel_unregister(), para evitar problemas de puntero NULL cualquiera que sea la API utilizada para alcanzar esta función.

*Credits: N/A

CVSS Scores

CISAv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-29 CVE Published
2024-03-01 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/d2fb0a0438384fee08a418025f743913020033ce	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9de69732dde4e443c1c7f89acbbed2c45a6a8e17	2024-02-23
https://git.kernel.org/stable/c/047fce470412ab64cb7345f9ff5d06919078ad79	2024-02-23
https://git.kernel.org/stable/c/2ab32986a0b9e329eb7f8f04dd57cc127f797c08	2024-02-01
https://git.kernel.org/stable/c/7f0ccfad2031eddcc510caf4e57f2d4aa2d8a50b	2024-02-01
https://git.kernel.org/stable/c/9263fd2a63487c6d04cbb7b74a48fb12e1e352d0	2024-02-01
https://git.kernel.org/stable/c/f5c24d94512f1b288262beda4d3dcb9629222fc7	2023-12-21

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52492	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2269183	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 6.1.76 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.1.76"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 6.6.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.6.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 6.7.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.7.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.6 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.8"		en		Affected