CVE-2023-54198

Summary

In the Linux kernel, the following vulnerability has been resolved:

tty: fix out-of-bounds access in tty_driver_lookup_tty()

When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number.

To reproduce:

qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio
-kernel ../linux-build-x86/arch/x86/boot/bzImage
-append "console=ttyS0 console=tty3270"

This crashes with:

[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30

Affected Software

VendorProductVersion RangeStatus
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < 3df6f492f500a16c231f07ccc6f6ed1302caddf9affected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < b79109d6470aaae7062998353e3a19449055829daffected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < 953a4a352a0c185460ae1449e4c6e6658e55fdfcaffected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < 84ea44dc3e4ecb2632586238014bf6722aa5843baffected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < f9d9d25ad1f0d060eaf297a2f7f03b5855a45561affected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < 765566110eb0da3cf60198b0165ecceeaafa6444affected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < fcfeaa570f7a5c2d5f4f14931909531ff18b7fdeaffected
LinuxLinux99f1fe189daf8e99a847e420567e49dd7ee2aae7 < db4df8e9d79e7d37732c1a1b560958e8dadfefa1affected
LinuxLinux2.6.28affected
LinuxLinux0 < 2.6.28unaffected
LinuxLinux4.14.308 <= 4.14.*unaffected
LinuxLinux4.19.276 <= 4.19.*unaffected
LinuxLinux5.4.235 <= 5.4.*unaffected
LinuxLinux5.10.173 <= 5.10.*unaffected
LinuxLinux5.15.100 <= 5.15.*unaffected
LinuxLinux6.1.18 <= 6.1.*unaffected
LinuxLinux6.2.5 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References