CVE-2023-54136

Vulnerability

CVE-2023-54136 is a memory leak vulnerability in the Linux kernel's Spreadtrum (sprd) serial driver. serial driver. The issue arises in the driver's probe function, where a DMA buffer is allocated but not properly released if the probe function returns a failure. This results in a DMA buffer leak, as the allocated memory is not freed on the device is not freed, leading to resource exhaustion over time.

Exploitation

Exploitation of this vulnerability requires the ability to trigger a probe failure in the sprd serial driver, which could occur during system initialization or when the driver is loaded on a system with the affected hardware. No special privileges are needed beyond the ability to load the driver, but the attack surface is limited to systems using the Spreadtrum serial hardware. The vulnerability is a memory leak, not a direct code execution path, so exploitation is typically exploited as a denial-of-service vector.

Impact

An attacker who can repeatedly trigger probe failures could exhaust the system memory, leading to a denial-of-service condition. The leak is specific to DMA buffers, which are limited resources, and could cause the system to become unresponsive or crash if memory is exhausted. The vulnerability does not provide any privilege escalation or data disclosure capabilities.

Mitigation

The fix for this vulnerability is to release the DMA buffer when the probe function fails, which has been implemented in the Linux kernel stable tree. The commit references [1], [2], and [3] are all stable backports of the same fix. Users should update their kernel to a version that includes this patch. No workarounds are documented, but the issue is resolved by applying the kernel update.