DEBIAN-CVE-2023-53854

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2023-53854

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53854.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-53854

Upstream

CVE-2023-53854

Published

2025-12-09T16:17:26.060Z

Modified

2025-12-10T11:16:53.846063Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path When devm runs function in the "remove" path for a device it runs them in the reverse order. That means that if you have parts of your driver that aren't using devm or are using "roll your own" devm w/ devmaddactionorreset() you need to keep that in mind. The mt8186 audio driver didn't quite get this right. Specifically, in mt8186initclock() it called mt8186audsysclkregister() and then went on to call a bunch of other devm function. The caller of mt8186initclock() used devmaddactionorreset() to call mt8186deinitclock() but, because of the intervening devm functions, the order was wrong. Specifically at probe time, the order was: 1. mt8186audsysclkregister() 2. afepriv->clk = devmkcalloc(...) 3. afepriv->clk[i] = devmclkget(...) At remove time, the order (which should have been 3, 2, 1) was: 1. mt8186audsysclkunregister() 3. Free all of afepriv->clk[i] 2. Free afepriv->clk The above seemed to be causing a use-after-free. Luckily, it's easy to fix this by simply using devm more correctly. Let's move the devmaddactionorreset() to the right place. In addition to fixing the use-after-free, code inspection shows that this fixes a leak (missing call to mt8186audsysclkunregister()) that would have happened if any of the sysconregmaplookupbyphandle() calls in mt8186init_clock() had failed.

References

https://security-tracker.debian.org/tracker/CVE-2023-53854

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.37-1

Affected versions

6.*

6.1.27-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53854.json"

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53854.json"

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53854.json"