| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120844-CVE-2023-53758-93a2@gregkh> Date: Mon, 8 Dec 2025 10:19:57 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53758: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() An early error exit in atmel_qspi_remove() doesn't prevent the device unbind. So this results in an spi controller with an unbound parent and unmapped register space (because devm_ioremap_resource() is undone). So using the remaining spi controller probably results in an oops. Instead unregister the controller unconditionally and only skip hardware access and clk disable. Also add a warning about resume failing and return zero unconditionally. The latter has the only effect to suppress a less helpful error message by the spi core. The Linux kernel CVE team has assigned CVE-2023-53758 to this issue. Affected and fixed versions =========================== Issue introduced in 6.0 with commit 4a2f83b7f78092a6d9e98fb5573d8f4b79c56336 and fixed in 6.1.28 with commit f6974fb20499e3b6522daa7aec822aac11dfcf42 Issue introduced in 6.0 with commit 4a2f83b7f78092a6d9e98fb5573d8f4b79c56336 and fixed in 6.2.15 with commit 618770d4d8e40b7f8ed9eb5f210cd9164dfac47d Issue introduced in 6.0 with commit 4a2f83b7f78092a6d9e98fb5573d8f4b79c56336 and fixed in 6.3.2 with commit 77806d7c9bebe40a8cdce2b8d30fbe6511745df8 Issue introduced in 6.0 with commit 4a2f83b7f78092a6d9e98fb5573d8f4b79c56336 and fixed in 6.4 with commit 9448bc1dee65f86c0fe64d9dea8b410af0586886 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53758 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/spi/atmel-quadspi.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f6974fb20499e3b6522daa7aec822aac11dfcf42 https://git.kernel.org/stable/c/618770d4d8e40b7f8ed9eb5f210cd9164dfac47d https://git.kernel.org/stable/c/77806d7c9bebe40a8cdce2b8d30fbe6511745df8 https://git.kernel.org/stable/c/9448bc1dee65f86c0fe64d9dea8b410af0586886
Powered by blists - more mailing lists