CVE-2023-54198

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: fix out-of-bounds access in tty_driver_lookup_tty()<br /> <br /> When specifying an invalid console= device like console=tty3270,<br /> tty_driver_lookup_tty() returns the tty struct without checking<br /> whether index is a valid number.<br /> <br /> To reproduce:<br /> <br /> qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \<br /> -kernel ../linux-build-x86/arch/x86/boot/bzImage \<br /> -append "console=ttyS0 console=tty3270"<br /> <br /> This crashes with:<br /> <br /> [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef<br /> [ 0.771265] #PF: supervisor read access in kernel mode<br /> [ 0.771773] #PF: error_code(0x0000) - not-present page<br /> [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI<br /> [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0<br /> [ 0.784013] chrdev_open+0xbd/0x230<br /> [ 0.784444] ? cdev_device_add+0x80/0x80<br /> [ 0.784920] do_dentry_open+0x1e0/0x410<br /> [ 0.785389] path_openat+0xca9/0x1050<br /> [ 0.785813] do_filp_open+0xaa/0x150<br /> [ 0.786240] file_open_name+0x133/0x1b0<br /> [ 0.786746] filp_open+0x27/0x50<br /> [ 0.787244] console_on_rootfs+0x14/0x4d<br /> [ 0.787800] kernel_init_freeable+0x1e4/0x20d<br /> [ 0.788383] ? rest_init+0xc0/0xc0<br /> [ 0.788881] kernel_init+0x11/0x120<br /> [ 0.789356] ret_from_fork+0x22/0x30