In the Linux kernel, the following vulnerability has been resolved:
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read().
ubigluebiinit ubiregistervolumenotifier ubienumeratevolumes ubinotifyall gluebinotify nb->notifiercall() gluebicreate mtddeviceregister mtddeviceparseregister addmtddevice blktransnotifyadd not->add() ftladdmtd tr->addmtd() scanheader mtdread mtdreadoob mtdreadoobstd gluebiread mtd->read() gluebi->desc - NULL
Detailed reproduction information available at the Link [1],
In the normal case, obtain gluebi->desc in the gluebigetdevice(), and access gluebi->desc in the gluebiread(). However, gluebigetdevice() is not executed in advance in the ftladd_mtd() process, which leads to NULL pointer dereference.
The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.
{ "vanir_signatures": [ { "id": "CVE-2023-52449-09f79cf5", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf4fe14e97cda621522eb2f28b0a4e87c5b0745" }, { "id": "CVE-2023-52449-0c898133", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "66300802812558147469065699690327653198", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022" }, { "id": "CVE-2023-52449-2067561f", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "91727899174079871328567020695329357764", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d8ac2537763b54d278b80b2b080e1652523c7d4c" }, { "id": "CVE-2023-52449-20efcbf7", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 687.0, "function_hash": "104738389442009991093535256346062611242" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfd7c9d260dc0a3baaea05a122a19ab91e193c65" }, { "id": "CVE-2023-52449-23b8c361", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfd7c9d260dc0a3baaea05a122a19ab91e193c65" }, { "id": "CVE-2023-52449-282fc3ee", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "66300802812558147469065699690327653198", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@001a3f59d8c914ef8273461d4bf495df384cc5f8" }, { "id": "CVE-2023-52449-2efe0cdf", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "66300802812558147469065699690327653198", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf4fe14e97cda621522eb2f28b0a4e87c5b0745" }, { "id": "CVE-2023-52449-3385ff59", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "91727899174079871328567020695329357764", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5389407bba1eab1266c6d83e226fb0840cb98dd5" }, { "id": "CVE-2023-52449-493f8b19", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5389407bba1eab1266c6d83e226fb0840cb98dd5" }, { "id": "CVE-2023-52449-52af2a6b", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc" }, { "id": "CVE-2023-52449-59d6dd8f", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "91727899174079871328567020695329357764", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfd7c9d260dc0a3baaea05a122a19ab91e193c65" }, { "id": "CVE-2023-52449-5b23ae22", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 720.0, "function_hash": "28914704260118580940052399670263846570" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bf4fe14e97cda621522eb2f28b0a4e87c5b0745" }, { "id": "CVE-2023-52449-5db69ac1", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6" }, { "id": "CVE-2023-52449-7448643e", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022" }, { "id": "CVE-2023-52449-835fb090", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "91727899174079871328567020695329357764", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6" }, { "id": "CVE-2023-52449-8ea44f80", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 687.0, "function_hash": "104738389442009991093535256346062611242" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc" }, { "id": "CVE-2023-52449-8fad4639", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d8ac2537763b54d278b80b2b080e1652523c7d4c" }, { "id": "CVE-2023-52449-9496211b", "signature_type": "Line", "target": { "file": "drivers/mtd/mtd_blkdevs.c" }, "deprecated": false, "digest": { "line_hashes": [ "301630847528704775866997325854314227705", "18031427934366856214016954948496905550", "232951284830572146518709374997827290253", "229302127793767921299784991809429275110", "91727899174079871328567020695329357764", "6984888835958931952727984956115822402", "77256464107132085856647904845773012510", "158345217223905178475193038926670780926" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc" }, { "id": "CVE-2023-52449-a0fa4d3c", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 687.0, "function_hash": "104738389442009991093535256346062611242" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6" }, { "id": "CVE-2023-52449-e679b1de", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 720.0, "function_hash": "28914704260118580940052399670263846570" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@001a3f59d8c914ef8273461d4bf495df384cc5f8" }, { "id": "CVE-2023-52449-e9053f3d", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "blktrans_notify_add" }, "deprecated": false, "digest": { "length": 189.0, "function_hash": "302269610217745319261514553973185002459" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@001a3f59d8c914ef8273461d4bf495df384cc5f8" }, { "id": "CVE-2023-52449-e90ec2f4", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 720.0, "function_hash": "28914704260118580940052399670263846570" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022" }, { "id": "CVE-2023-52449-f014314e", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 687.0, "function_hash": "104738389442009991093535256346062611242" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d8ac2537763b54d278b80b2b080e1652523c7d4c" }, { "id": "CVE-2023-52449-faabaf7f", "signature_type": "Function", "target": { "file": "drivers/mtd/mtd_blkdevs.c", "function": "register_mtd_blktrans" }, "deprecated": false, "digest": { "length": 687.0, "function_hash": "104738389442009991093535256346062611242" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5389407bba1eab1266c6d83e226fb0840cb98dd5" } ] }