CVE-2023-54189

Vulnerability

CVE-2023-54189 is a NULL pointer dereference vulnerability in the Linux kernel's pstore/ram driver for persistent storage (pstore/ram). The root cause is the absence of a return-value check for the kstrdup() function call. If kstrdup() fails (e.g., due to memory pressure), the code proceeds to use the returned NULL pointer without validation, leading to a potential crash [1].

Exploitation

Exploitation requires the ability to trigger a memory allocation failure in the kernel's pstore/ram subsystem. This could be achieved by exhausting system memory or by other means that cause kstrdup() to return NULL. No special privileges are needed beyond the ability to trigger the pstore/ram code path, which may be accessible to unprivileged users depending on the system configuration.

Impact

A successful exploit results in a NULL pointer dereference, causing a kernel oops or panic. This leads to a denial of service (DoS) condition, making the system unavailable. There is no evidence of privilege escalation or data corruption from this vulnerability.

Mitigation

The fix adds a check for the return value of kstrdup() and returns an error if it fails, preventing the NULL pointer from being dereferenced [1]. The patch has been applied to the stable kernel tree. Users should update to a kernel version containing the fix.