CVE-2023-54093

Root

Cause In the Linux kernel's media subsystem, the anysee_master_xfer function in the anysee driver lacks a sanity check on msg[i].len. When msg[i].buf is null and msg[i].len is zero, the former checks on msg[i].buf are bypassed, allowing a null pointer dereference when accessing msg[i].buf[0] without validation. This vulnerability is similar to the fix for the az6027 driver (commit 0ed554fd769a) [1].

Attack

Scenario An attacker with the ability to control the msg structure (e.g., via crafted USB control messages) can trigger the null pointer dereference. No authentication is required if the attacker can physically connect a malicious USB device or interact with the driver through other attack vectors. The attack is local, requiring access to the system's USB subsystem.

Impact

Successful exploitation leads to a kernel crash (denial of service). In some configurations, it could potentially be leveraged for privilege escalation, though the primary impact is system instability.

Mitigation

The fix adds a check on msg[i].len before accessing msg[i].buf[0], preventing the null pointer dereference. The patch has been applied to the stable kernel branches as commits [2] and [3]. Users should update to kernel versions including these commits.