* CVE-2023-52449: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
@ 2024-02-22 16:21 Greg Kroah-Hartman
0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-02-22 16:21 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().
ubi_gluebi_init
ubi_register_volume_notifier
ubi_enumerate_volumes
ubi_notify_all
gluebi_notify nb->notifier_call()
gluebi_create
mtd_device_register
mtd_device_parse_register
add_mtd_device
blktrans_notify_add not->add()
ftl_add_mtd tr->add_mtd()
scan_header
mtd_read
mtd_read_oob
mtd_read_oob_std
gluebi_read mtd->read()
gluebi->desc - NULL
Detailed reproduction information available at the Link [1],
In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.
The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.
The Linux kernel CVE team has assigned CVE-2023-52449 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 4.19.306 with commit aeba358bcc8f
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.4.268 with commit 1bf4fe14e97c
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.10.209 with commit 001a3f59d8c9
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.15.148 with commit d8ac2537763b
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.1.75 with commit 5389407bba1e
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.6.14 with commit cfd7c9d260dc
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.7.2 with commit b36aaa64d58a
Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.8-rc1 with commit a43bdc376dea
Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-52449
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/mtd/mtd_blkdevs.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
https://git.kernel.org/stable/c/1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
https://git.kernel.org/stable/c/001a3f59d8c914ef8273461d4bf495df384cc5f8
https://git.kernel.org/stable/c/d8ac2537763b54d278b80b2b080e1652523c7d4c
https://git.kernel.org/stable/c/5389407bba1eab1266c6d83e226fb0840cb98dd5
https://git.kernel.org/stable/c/cfd7c9d260dc0a3baaea05a122a19ab91e193c65
https://git.kernel.org/stable/c/b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
https://git.kernel.org/stable/c/a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-02-22 16:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-22 16:21 CVE-2023-52449: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).