CVE-2023-53864

Vulnerability

CVE-2023-53864 is a NULL pointer dereference vulnerability in the Linux kernel's mxsfb DRM driver for i.MX SoCs. The bug occurs in the overlay plane disable path: when mxsfb_plane_overlay_atomic_update() disables the overlay plane, it still tries to dereference the plane's framebuffer pointer, which is NULL at that point. The root cause is that the disable logic was placed in the wrong function—it should have been handled in mxsfb_plane_overlay_atomic_disable(), where the framebuffer pointer is not accessed [1][2][3].

Exploitation

An attacker would need to be able to trigger an atomic display update that disables the overlay plane on a system using the mxsfb driver. This could be achieved through a crafted DRM application (e.g., a Wayland compositor or direct DRM client) that issues a disable operation. No special privileges beyond local user access to /dev/dri/card* are required—a standard unprivileged user can open the DRM device and submit atomic commits. The attack surface is local, as the DRM subsystem is only accessible from userspace on the same machine [1][2][3].

Impact

Successful exploitation causes a kernel NULL pointer dereference, leading to a kernel Oops (panic/BSOD) and denial of service (DoS). Since the bug is in a DRM driver, the system display will freeze or crash, potentially requiring a reboot. No privilege escalation is possible because the crash occurs in kernel context without controlled data leakage [1][2][3].

Mitigation

The fix was committed to the Linux kernel stable trees as commits 0f98de0a11d2, 8bf2d4ca521d, and aa656d48e871, which move the overlay disable code into mxsfb_plane_overlay_atomic_disable(). Users should update to a kernel version containing these commits. No workaround exists besides avoiding the use of overlay planes on affected systems [1][2][3].