In the Linux kernel, the following vulnerability has been resolved:
spmi: mediatek: Fix UAF on device remove
The pmif driver data that contains the clocks is allocated along with spmicontroller. On device remove, spmicontroller will be freed first, and then devres , including the clocks, will be cleanup. This leads to UAF because putting the clocks will access the clocks in the pmif driver data, which is already freed along with spmi_controller.
This can be reproduced by enabling DEBUGTESTDRIVER_REMOVE and building the kernel with KASAN.
Fix the UAF issue by using unmanaged clkbulkget() and putting the clocks before freeing spmi_controller.
{ "vanir_signatures": [ { "id": "CVE-2023-52584-30e8e791", "signature_type": "Function", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c", "function": "mtk_spmi_remove" }, "deprecated": false, "digest": { "length": 191.0, "function_hash": "228405622841805388936105403144067822600" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e821d50ab5b956ed0effa49faaf29912fd4106d9" }, { "id": "CVE-2023-52584-3abed435", "signature_type": "Function", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c", "function": "mtk_spmi_probe" }, "deprecated": false, "digest": { "length": 1787.0, "function_hash": "184278784736811836119680657011121951551" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e821d50ab5b956ed0effa49faaf29912fd4106d9" }, { "id": "CVE-2023-52584-51a476c0", "signature_type": "Function", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c", "function": "mtk_spmi_remove" }, "deprecated": false, "digest": { "length": 202.0, "function_hash": "326289877498627311119894985890786830591" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f28eedd6b14228c46e3b81e3bf9b90c2818d8" }, { "id": "CVE-2023-52584-7d0dc7ca", "signature_type": "Line", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c" }, "deprecated": false, "digest": { "line_hashes": [ "57955821781779263813707322962151234043", "66622906817499170798252746784154671567", "105221649268016460568354817171152283217", "122775735690042178870804564366425091933", "319607293245495343250593293022079639527", "333643911732875001396326489543803134116", "52220170263037042919034006418060382278", "109739608817247240336533216401820622720", "99566176798625055980641692548360246849", "328770194740992009104828191926685322892", "247429270420404815707943462063098707462", "8099534677105398681755883902288998774", "220567750784624368915501691905788375293", "180726559626677751109410036632491381262", "191261748485443125863477033730718070605", "214138395314603009467843277870401820924" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e821d50ab5b956ed0effa49faaf29912fd4106d9" }, { "id": "CVE-2023-52584-9a0d51d8", "signature_type": "Function", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c", "function": "mtk_spmi_probe" }, "deprecated": false, "digest": { "length": 1787.0, "function_hash": "184278784736811836119680657011121951551" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f28eedd6b14228c46e3b81e3bf9b90c2818d8" }, { "id": "CVE-2023-52584-aaf9e09a", "signature_type": "Line", "target": { "file": "drivers/spmi/spmi-mtk-pmif.c" }, "deprecated": false, "digest": { "line_hashes": [ "57955821781779263813707322962151234043", "66622906817499170798252746784154671567", "105221649268016460568354817171152283217", "122775735690042178870804564366425091933", "319607293245495343250593293022079639527", "333643911732875001396326489543803134116", "52220170263037042919034006418060382278", "109739608817247240336533216401820622720", "99566176798625055980641692548360246849", "328770194740992009104828191926685322892", "247429270420404815707943462063098707462", "8099534677105398681755883902288998774", "220567750784624368915501691905788375293", "180726559626677751109410036632491381262", "191261748485443125863477033730718070605", "277045684026435910816383117314146907783" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@521f28eedd6b14228c46e3b81e3bf9b90c2818d8" } ] }