CVE-2023-52765

{"id": "CVE-2023-52765", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.5}]}, "published": "2024-05-21T16:15:15.777", "references": [{"url": "https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4ce77b023d42a9f1062eecf438df1af4b4072eb2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7b439aaa62fee474a0d84d67a25f4984467e7b95", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/affae18838db5e6b463ee30c821385695af56dc2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/db98de0809f12b0edb9cd1be78e1ec1bfeba8f40", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmfd: qcom-spmi-pmic: Fix revid implementation\n\nThe Qualcomm SPMI PMIC revid implementation is broken in multiple ways.\n\nFirst, it assumes that just because the sibling base device has been\nregistered that means that it is also bound to a driver, which may not\nbe the case (e.g. due to probe deferral or asynchronous probe). This\ncould trigger a NULL-pointer dereference when attempting to access the\ndriver data of the unbound device.\n\nSecond, it accesses driver data of a sibling device directly and without\nany locking, which means that the driver data may be freed while it is\nbeing accessed (e.g. on driver unbind).\n\nThird, it leaks a struct device reference to the sibling device which is\nlooked up using the spmi_device_from_of() every time a function (child)\ndevice is calling the revid function (e.g. on probe).\n\nFix this mess by reimplementing the revid lookup so that it is done only\nat probe of the PMIC device; the base device fetches the revid info from\nthe hardware, while any secondary SPMI device fetches the information\nfrom the base device and caches it so that it can be accessed safely\nfrom its children. If the base device has not been probed yet then probe\nof a secondary device is deferred."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mfd: qcom-spmi-pmic: reparaci\u00f3n de la implementaci\u00f3n revid. La implementaci\u00f3n revid de Qualcomm SPMI PMIC est\u00e1 rota de varias maneras. En primer lugar, se supone que el hecho de que el dispositivo base hermano se haya registrado significa que tambi\u00e9n est\u00e1 vinculado a un controlador, lo que puede no ser el caso (por ejemplo, debido a un aplazamiento de la sonda o una sonda asincr\u00f3nica). Esto podr\u00eda desencadenar una desreferencia del puntero NULL al intentar acceder a los datos del controlador del dispositivo independiente. En segundo lugar, accede a los datos del controlador de un dispositivo hermano directamente y sin ning\u00fan bloqueo, lo que significa que los datos del controlador pueden liberarse mientras se accede a ellos (por ejemplo, al desvincular el controlador). En tercer lugar, filtra una referencia de dispositivo de estructura al dispositivo hermano que se busca usando spmi_device_from_of() cada vez que un dispositivo de funci\u00f3n (secundario) llama a la funci\u00f3n revid (por ejemplo, en la sonda). Solucione este problema volviendo a implementar la b\u00fasqueda revid para que se realice solo en la sonda del dispositivo PMIC; el dispositivo base obtiene la informaci\u00f3n revid del hardware, mientras que cualquier dispositivo SPMI secundario obtiene la informaci\u00f3n del dispositivo base y la almacena en cach\u00e9 para que sus hijos puedan acceder a ella de forma segura. Si el dispositivo base a\u00fan no ha sido sondeado, se pospone la sonda de un dispositivo secundario."}], "lastModified": "2025-04-02T15:03:42.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06B6ACCF-31F1-4421-964C-7F3C54F0E3E2", "versionEndExcluding": "6.1.64", "versionStartIncluding": "6.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "674C4F82-C336-4B49-BF64-1DE422E889C4", "versionEndExcluding": "6.5.13", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B58252FA-A49C-411F-9B28-DC5FE44BC5A0", "versionEndExcluding": "6.6.3", "versionStartIncluding": "6.6"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}