CVE-2023-54122

Root

Cause

The vulnerability resides in the MSM Display Processing Unit (DPU) driver within the Linux kernel. The function drm/msm/dpu allocates memory via kzalloc for a cstate structure but does not verify if the allocation succeeded. If kzalloc fails and returns a NULL pointer, the subsequent call to __drm_atomic_helper_crtc_reset will dereference this NULL pointer, leading to a kernel crash or potential exploitation [1][2].

Exploitation

An attacker would need to trigger a memory allocation failure in the kernel, which can be achieved by exhausting system memory or through other resource exhaustion techniques. No special privileges are required beyond the ability to trigger a DRM atomic commit operation that invokes the vulnerable code path. The attack surface is local, as the DRM subsystem is accessible to users with access to the graphics device.

Impact

Successful exploitation results in a NULL pointer dereference, causing a kernel panic (denial of service). In some configurations, this could potentially be leveraged for privilege escalation if the attacker can control the dereferenced memory, though the kernel's memory management, though the primary impact is system instability.

Mitigation

The fix adds a NULL check after kzalloc and returns an appropriate error code if allocation fails. The patch has been applied to the stable kernel branches as referenced in [1] and [2]. Users should update their kernels to include this commit.