CVE-2023-54104

Vulnerability

Overview

CVE-2023-54104 is an off-by-one validation error in the fun_exec_op() function of the Linux kernel's Freescale User-Programmable Machine (UPM) NAND driver (mtd: rawnand: fsl_upm). The issue lies in a sanity check that allows the op->cs (chip select) value to be equal to NAND_MAX_CHIPS, which is one beyond the valid index range for the mchip_offsets and rnb_gpio arrays. These arrays are defined with NAND_MAX_CHIPS elements, so the maximum safe index is NAND_MAX_CHIPS - 1. This flaw can lead to out-of-bounds memory access when the driver uses op->cs as an index into these arrays.

Exploitability and

Attack Vector

Exploitation requires an attacker capable of supplying a crafted NAND operation with a chip select value set to NAND_MAX_CHIPS. In typical deployment, this would necessitate local access or the ability to influence device tree or NAND controller interactions; the vulnerability is not remotely exploitable without prior system compromise. No authentication is bypassed—the bug is purely a boundary condition in the driver's internal validation logic.

Potential

Impact

An out-of-bounds read or write on the mchip_offsets or rnb_gpio arrays could corrupt kernel memory, potentially leading to system crash (denial of service) or, under specific conditions, privilege escalation. The official description confirms that the fix prevents reaching NAND_MAX_CHIPS as an index, which would have caused "out-of-bound accesses."

Mitigation

The Linux kernel stable trees have released patches (commit references [1] and [2]) that correct the off-by-one comparison, changing the check from >= to > to properly reject NAND_MAX_CHIPS. Users are advised to update their kernels to include these fixes. No workarounds are documented—patching is the recommended action.