| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123029-CVE-2023-54198-1df4@gregkh> Date: Tue, 30 Dec 2025 13:10:06 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54198: tty: fix out-of-bounds access in tty_driver_lookup_tty() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30 The Linux kernel CVE team has assigned CVE-2023-54198 to this issue. Affected and fixed versions =========================== Fixed in 4.14.308 with commit 3df6f492f500a16c231f07ccc6f6ed1302caddf9 Fixed in 4.19.276 with commit b79109d6470aaae7062998353e3a19449055829d Fixed in 5.4.235 with commit 953a4a352a0c185460ae1449e4c6e6658e55fdfc Fixed in 5.10.173 with commit 84ea44dc3e4ecb2632586238014bf6722aa5843b Fixed in 5.15.100 with commit f9d9d25ad1f0d060eaf297a2f7f03b5855a45561 Fixed in 6.1.18 with commit 765566110eb0da3cf60198b0165ecceeaafa6444 Fixed in 6.2.5 with commit fcfeaa570f7a5c2d5f4f14931909531ff18b7fde Fixed in 6.3 with commit db4df8e9d79e7d37732c1a1b560958e8dadfefa1 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54198 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/tty/tty_io.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9 https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561 https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444 https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1
Powered by blists - more mailing lists