CVE-2023-53856

Vulnerability

Overview

In the Linux kernel's device tree overlay subsystem, a NULL-pointer dereference vulnerability exists in the overlay removal path. The root cause is that of_changeset_init() is called inside init_overlay_changeset(), which runs after of_resolve_phandles() in of_overlay_fdt_apply(). If the overlay fails due to an unresolved phandle, the changeset's cset.entries list remains uninitialized. When the caller subsequently attempts to clean up via of_overlay_remove(), the function overlay_removal_is_ok() dereferences this uninitialized list, causing a kernel crash [1][2].

Exploitation

To exploit this vulnerability, an attacker must be able to apply a device tree overlay that contains unresolved phandles. This typically requires local access and the ability to trigger overlay loading, such as through a privileged process or a hotplug event. No authentication is needed beyond the capability to load overlays, which is often restricted to root or users with specific capabilities.

Impact

Successful exploitation results in a denial of service (DoS) due to a kernel NULL-pointer dereference, leading to a system crash or hang. There is no indication of privilege escalation or data corruption beyond the immediate crash.

Mitigation

The fix moves the call to of_changeset_init() from init_overlay_changeset() to of_overlay_fdt_apply(), ensuring the changeset is initialized before any failure point. This patch has been applied to the Linux kernel stable branches as referenced in commits [1] and [2]. Users are advised to update to the latest stable kernel version containing this fix.