CVE-2023-54017

Vulnerability

The Linux kernel's PowerPC pseries architecture contains a memory leak in the ibmebus_bus_init() function. When device_register() fails, the name allocated by dev_set_name() (called during device_add()) is not properly freed, as the function does not call put_device() to release the reference count set by device_initialize() [1].

Exploitation

This vulnerability is triggered only during early system initialization when the ibmebus subsystem attempts to register a device and that registration fails. An attacker would need to cause the kernel to hit this error path—for example, by manipulating device tree nodes or triggering allocation failures—but exploitation is local and requires either physical access or existing kernel privileges to influence boot-time behavior.

Impact

Successful exploitation leads to a kernel memory leak that can degrade system performance over time by exhausting available memory. The leak affects a single kobject name per failed registration, so repeated triggers would be needed for significant impact. There is no evidence of privilege escalation or arbitrary code execution.

Mitigation

The fix was applied in Linux kernel stable releases and can be identified by commits d35e7ae10eb8, ebd8dc974fcc, and e4ff88548def [1][2][3]. Users should update to a patched kernel version. No workaround is available other than avoiding the error condition.