Detections
Analytics
CVE-2023-54198
medium
Description
In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30
References
https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde
https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561
https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1
https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d
https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc
https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b
https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444
https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9