CVE-2023-54138

Vulnerability

Details

The Linux kernel's MSM (MSM DRM) driver contains a NULL pointer dereference vulnerability in the IRQ uninstall path. When the driver's initialization fails early or when the system does not use the DPU (Display Processing Unit) controller, the deinitialization code may be invoked with the kms pointer set to NULL. This leads to a NULL pointer dereference when the IRQ uninstall routine attempts to access members of the kms structure.

Exploitation

An attacker would need to trigger the vulnerable code path, which occurs during driver initialization or deinitialization. This can happen on systems with the MSM DRM driver loaded but where early initialization errors occur, or on platforms that lack the DPU controller. The vulnerability is triggered without any special privileges, as it occurs in kernel context during normal driver lifecycle operations. No user interaction is required beyond booting the system or loading the driver.

Impact

A successful NULL pointer dereference results in a kernel crash (oops), leading to a denial of service (DoS). The system may become unstable or reboot. There is no evidence of privilege escalation or data corruption beyond the crash itself.

Mitigation

The vulnerability has been fixed in the Linux kernel stable tree. The fix is included in commits [1][2][3] which are backported to various stable kernel versions. Users should update their kernel to a version containing the fix. No workaround is available other than avoiding the vulnerable code path, which is not practical.