Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52856

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/05/2024
Last modified:
31/01/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: lt8912b: Fix crash on bridge detach<br /> <br /> The lt8912b driver, in its bridge detach function, calls<br /> drm_connector_unregister() and drm_connector_cleanup().<br /> <br /> drm_connector_unregister() should be called only for connectors<br /> explicitly registered with drm_connector_register(), which is not the<br /> case in lt8912b.<br /> <br /> The driver&amp;#39;s drm_connector_funcs.destroy hook is set to<br /> drm_connector_cleanup().<br /> <br /> Thus the driver should not call either drm_connector_unregister() nor<br /> drm_connector_cleanup() in its lt8912_bridge_detach(), as they cause a<br /> crash on bridge detach:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000096000006<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x06: level 2 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000<br /> CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000<br /> [0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000<br /> Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP<br /> Modules linked in: tidss(-) display_connector lontium_lt8912b tc358768 panel_lvds panel_simple drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks<br /> CPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2<br /> Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT)<br /> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : drm_connector_cleanup+0x78/0x2d4 [drm]<br /> lr : lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]<br /> sp : ffff800082ed3a90<br /> x29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000<br /> x26: 0000000000000000 x25: dead000000000122 x24: dead000000000122<br /> x23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000<br /> x20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8<br /> x17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038<br /> x14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e<br /> x11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48<br /> x8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0<br /> x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> drm_connector_cleanup+0x78/0x2d4 [drm]<br /> lt8912_bridge_detach+0x54/0x6c [lontium_lt8912b]<br /> drm_bridge_detach+0x44/0x84 [drm]<br /> drm_encoder_cleanup+0x40/0xb8 [drm]<br /> drmm_encoder_alloc_release+0x1c/0x30 [drm]<br /> drm_managed_release+0xac/0x148 [drm]<br /> drm_dev_put.part.0+0x88/0xb8 [drm]<br /> devm_drm_dev_init_release+0x14/0x24 [drm]<br /> devm_action_release+0x14/0x20<br /> release_nodes+0x5c/0x90<br /> devres_release_all+0x8c/0xe0<br /> device_unbind_cleanup+0x18/0x68<br /> device_release_driver_internal+0x208/0x23c<br /> driver_detach+0x4c/0x94<br /> bus_remove_driver+0x70/0xf4<br /> driver_unregister+0x30/0x60<br /> platform_driver_unregister+0x14/0x20<br /> tidss_platform_driver_exit+0x18/0xb2c [tidss]<br /> __arm64_sys_delete_module+0x1a0/0x2b4<br /> invoke_syscall+0x48/0x110<br /> el0_svc_common.constprop.0+0x60/0x10c<br /> do_el0_svc_compat+0x1c/0x40<br /> el0_svc_compat+0x40/0xac<br /> el0t_32_sync_handler+0xb0/0x138<br /> el0t_32_sync+0x194/0x198<br /> Code: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.13 (including) 5.15.139 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.63 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.5.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6 (including) 6.6.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools