| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123022-CVE-2023-54321-b87f@gregkh>
Date: Tue, 30 Dec 2025 13:34:24 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54321: driver core: fix potential null-ptr-deref in device_add()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix potential null-ptr-deref in device_add()
I got the following null-ptr-deref report while doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058
CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
<TASK>
klist_remove+0xf1/0x1c0
device_release_driver_internal+0x196/0x210
bus_remove_device+0x1bd/0x240
device_add+0xd3d/0x1100
w1_add_master_device+0x476/0x490 [wire]
ds2482_probe+0x303/0x3e0 [ds2482]
This is how it happened:
w1_alloc_dev()
// The dev->driver is set to w1_master_driver.
memcpy(&dev->dev, device, sizeof(struct device));
device_add()
bus_add_device()
dpm_sysfs_add() // It fails, calls bus_remove_device.
// error path
bus_remove_device()
// The dev->driver is not null, but driver is not bound.
__device_release_driver()
klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.
// normal path
bus_probe_device() // It's not called yet.
device_bind_driver()
If dev->driver is set, in the error path after calling bus_add_device()
in device_add(), bus_remove_device() is called, then the device will be
detached from driver. But device_bind_driver() is not called yet, so it
causes null-ptr-deref while access the 'knode_driver'. To fix this, set
dev->driver to null in the error path before calling bus_remove_device().
The Linux kernel CVE team has assigned CVE-2023-54321 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.26 with commit 57eee3d23e8833ca18708b374c648235691942ba and fixed in 5.15.99 with commit 2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3
Issue introduced in 2.6.26 with commit 57eee3d23e8833ca18708b374c648235691942ba and fixed in 6.1.16 with commit 7cf515bf9e8c2908dc170ecf2df117162a16c9c5
Issue introduced in 2.6.26 with commit 57eee3d23e8833ca18708b374c648235691942ba and fixed in 6.2.3 with commit 17982304806c5c10924e73f7ca5556e0d7378452
Issue introduced in 2.6.26 with commit 57eee3d23e8833ca18708b374c648235691942ba and fixed in 6.3 with commit f6837f34a34973ef6600c08195ed300e24e97317
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54321
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/base/core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3
https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5
https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452
https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317
Powered by blists - more mailing lists