CVE-2023-52570

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52570
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52570.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52570
Downstream
Published
2024-03-02T21:59:40Z
Modified
2025-10-21T14:33:49.935775Z
Summary
vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/mdev: Fix a null-ptr-deref bug for mdevunregisterparent()

Inject fault while probing mdpy.ko, if kstrdup() of createdir() fails in kobjectaddinternal() in kobjectinitandadd() in mdevtypeadd() in parentcreatesysfsfiles(), it will return 0 and probe successfully. And when rmmod mdpy.ko, the mdpydevexit() will call mdevunregisterparent(), the mdevtyperemove() may traverse uninitialized parent->types[i] in parentremovesysfsfiles(), and it will cause below null-ptr-deref.

If mdevtypeadd() fails, return the error code and kset_unregister() to fix the issue.

general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:kobjectdel+0x62/0x1c0 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8 RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1 R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000 R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660 FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0 DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: <TASK> ? dieaddr+0x3d/0xa0 ? excgeneralprotection+0x144/0x220 ? asmexcgeneralprotection+0x22/0x30 ? _kobjectdel+0x62/0x1c0 kobjectdel+0x32/0x50 parentremovesysfsfiles+0xd6/0x170 [mdev] mdevunregisterparent+0xfb/0x190 [mdev] ? mdevregisterparent+0x270/0x270 [mdev] ? findmoduleall+0x9d/0xe0 mdpydevexit+0x17/0x63 [mdpy] _dosysdeletemodule.constprop.0+0x2fa/0x4b0 ? moduleflags+0x300/0x300 ? _fput+0x4e7/0xa00 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7fbc813221b7 Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIGRAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7 RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58 RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000 R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870 R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0 </TASK> Modules linked in: mdpy(-) mdev vfioiommutype1 vfio [last unloaded: mdpy] Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 0000000000000000 ]--- RIP: 0010:kobject_del+0x62/0x1c0 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8 RSP: 0018:ffff88810695fd30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1 R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000 R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660 FS: 00007fbc81981540(0000) GS:ffff888119d00000(000 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
da44c340c4fe9d9653ae84fa6a60f406bafcffce
Fixed
c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
da44c340c4fe9d9653ae84fa6a60f406bafcffce
Fixed
52093779b1830ac184a23848d971f06404cf513e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
da44c340c4fe9d9653ae84fa6a60f406bafcffce
Fixed
c777b11d34e0f47dbbc4b018ef65ad030f2b283a

Affected versions

v6.*

v6.0
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.6-rc1
v6.6-rc2

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "258687390612781856769621759966879766188",
            "length": 428.0
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c",
            "function": "parent_create_sysfs_files"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52093779b1830ac184a23848d971f06404cf513e",
        "id": "CVE-2023-52570-04e1ffbc",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "165815786554367281470417133678073831586",
                "29333736343390406043842637056097491158",
                "196181960819127487825982084625032401231",
                "290903868917906880154752503387328874986"
            ]
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52093779b1830ac184a23848d971f06404cf513e",
        "id": "CVE-2023-52570-0704c759",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "258687390612781856769621759966879766188",
            "length": 428.0
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c",
            "function": "parent_create_sysfs_files"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4",
        "id": "CVE-2023-52570-1b2eb3df",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "258687390612781856769621759966879766188",
            "length": 428.0
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c",
            "function": "parent_create_sysfs_files"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c777b11d34e0f47dbbc4b018ef65ad030f2b283a",
        "id": "CVE-2023-52570-46c1ddab",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "165815786554367281470417133678073831586",
                "29333736343390406043842637056097491158",
                "196181960819127487825982084625032401231",
                "290903868917906880154752503387328874986"
            ]
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4",
        "id": "CVE-2023-52570-c70e1d8d",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "165815786554367281470417133678073831586",
                "29333736343390406043842637056097491158",
                "196181960819127487825982084625032401231",
                "290903868917906880154752503387328874986"
            ]
        },
        "target": {
            "file": "drivers/vfio/mdev/mdev_sysfs.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c777b11d34e0f47dbbc4b018ef65ad030f2b283a",
        "id": "CVE-2023-52570-f200824b",
        "deprecated": false,
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.56
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.5.6