cve-2023-52765
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2024-12-19 08:25
Summary
In the Linux kernel, the following vulnerability has been resolved: mfd: qcom-spmi-pmic: Fix revid implementation The Qualcomm SPMI PMIC revid implementation is broken in multiple ways. First, it assumes that just because the sibling base device has been registered that means that it is also bound to a driver, which may not be the case (e.g. due to probe deferral or asynchronous probe). This could trigger a NULL-pointer dereference when attempting to access the driver data of the unbound device. Second, it accesses driver data of a sibling device directly and without any locking, which means that the driver data may be freed while it is being accessed (e.g. on driver unbind). Third, it leaks a struct device reference to the sibling device which is looked up using the spmi_device_from_of() every time a function (child) device is calling the revid function (e.g. on probe). Fix this mess by reimplementing the revid lookup so that it is done only at probe of the PMIC device; the base device fetches the revid info from the hardware, while any secondary SPMI device fetches the information from the base device and caches it so that it can be accessed safely from its children. If the base device has not been probed yet then probe of a secondary device is deferred.
Impacted products
Vendor Product Version
Linux Linux Version: 6.0
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "e9c11c6e3a0e"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "6.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "6.1.64"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "6.5.13"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "\t6.6.3"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "unaffected",
                "version": "6.7"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.2,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52765",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-22T17:48:20.655650Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:23.227Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:35.927Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mfd/qcom-spmi-pmic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db98de0809f12b0edb9cd1be78e1ec1bfeba8f40",
              "status": "affected",
              "version": "e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1",
              "versionType": "git"
            },
            {
              "lessThan": "4ce77b023d42a9f1062eecf438df1af4b4072eb2",
              "status": "affected",
              "version": "e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1",
              "versionType": "git"
            },
            {
              "lessThan": "affae18838db5e6b463ee30c821385695af56dc2",
              "status": "affected",
              "version": "e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1",
              "versionType": "git"
            },
            {
              "lessThan": "7b439aaa62fee474a0d84d67a25f4984467e7b95",
              "status": "affected",
              "version": "e9c11c6e3a0e93903f5a13f8d2f97ae1bba512e1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mfd/qcom-spmi-pmic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: qcom-spmi-pmic: Fix revid implementation\n\nThe Qualcomm SPMI PMIC revid implementation is broken in multiple ways.\n\nFirst, it assumes that just because the sibling base device has been\nregistered that means that it is also bound to a driver, which may not\nbe the case (e.g. due to probe deferral or asynchronous probe). This\ncould trigger a NULL-pointer dereference when attempting to access the\ndriver data of the unbound device.\n\nSecond, it accesses driver data of a sibling device directly and without\nany locking, which means that the driver data may be freed while it is\nbeing accessed (e.g. on driver unbind).\n\nThird, it leaks a struct device reference to the sibling device which is\nlooked up using the spmi_device_from_of() every time a function (child)\ndevice is calling the revid function (e.g. on probe).\n\nFix this mess by reimplementing the revid lookup so that it is done only\nat probe of the PMIC device; the base device fetches the revid info from\nthe hardware, while any secondary SPMI device fetches the information\nfrom the base device and caches it so that it can be accessed safely\nfrom its children. If the base device has not been probed yet then probe\nof a secondary device is deferred."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:25:16.707Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95"
        }
      ],
      "title": "mfd: qcom-spmi-pmic: Fix revid implementation",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52765",
    "datePublished": "2024-05-21T15:30:49.690Z",
    "dateReserved": "2024-05-21T15:19:24.238Z",
    "dateUpdated": "2024-12-19T08:25:16.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52765\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:15.777\",\"lastModified\":\"2024-11-21T08:40:32.333\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmfd: qcom-spmi-pmic: Fix revid implementation\\n\\nThe Qualcomm SPMI PMIC revid implementation is broken in multiple ways.\\n\\nFirst, it assumes that just because the sibling base device has been\\nregistered that means that it is also bound to a driver, which may not\\nbe the case (e.g. due to probe deferral or asynchronous probe). This\\ncould trigger a NULL-pointer dereference when attempting to access the\\ndriver data of the unbound device.\\n\\nSecond, it accesses driver data of a sibling device directly and without\\nany locking, which means that the driver data may be freed while it is\\nbeing accessed (e.g. on driver unbind).\\n\\nThird, it leaks a struct device reference to the sibling device which is\\nlooked up using the spmi_device_from_of() every time a function (child)\\ndevice is calling the revid function (e.g. on probe).\\n\\nFix this mess by reimplementing the revid lookup so that it is done only\\nat probe of the PMIC device; the base device fetches the revid info from\\nthe hardware, while any secondary SPMI device fetches the information\\nfrom the base device and caches it so that it can be accessed safely\\nfrom its children. If the base device has not been probed yet then probe\\nof a secondary device is deferred.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mfd: qcom-spmi-pmic: reparaci\u00f3n de la implementaci\u00f3n revid. La implementaci\u00f3n revid de Qualcomm SPMI PMIC est\u00e1 rota de varias maneras. En primer lugar, se supone que el hecho de que el dispositivo base hermano se haya registrado significa que tambi\u00e9n est\u00e1 vinculado a un controlador, lo que puede no ser el caso (por ejemplo, debido a un aplazamiento de la sonda o una sonda asincr\u00f3nica). Esto podr\u00eda desencadenar una desreferencia del puntero NULL al intentar acceder a los datos del controlador del dispositivo independiente. En segundo lugar, accede a los datos del controlador de un dispositivo hermano directamente y sin ning\u00fan bloqueo, lo que significa que los datos del controlador pueden liberarse mientras se accede a ellos (por ejemplo, al desvincular el controlador). En tercer lugar, filtra una referencia de dispositivo de estructura al dispositivo hermano que se busca usando spmi_device_from_of() cada vez que un dispositivo de funci\u00f3n (secundario) llama a la funci\u00f3n revid (por ejemplo, en la sonda). Solucione este problema volviendo a implementar la b\u00fasqueda revid para que se realice solo en la sonda del dispositivo PMIC; el dispositivo base obtiene la informaci\u00f3n revid del hardware, mientras que cualquier dispositivo SPMI secundario obtiene la informaci\u00f3n del dispositivo base y la almacena en cach\u00e9 para que sus hijos puedan acceder a ella de forma segura. Si el dispositivo base a\u00fan no ha sido sondeado, se pospone la sonda de un dispositivo secundario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.