CVE-2023-54255

The Linux kernel's SH DMA driver contains a flaw in its channel offset calculation for various SH3, SH4, and SH4A family SoCs. These SoCs can have a varying number of DMA channels distributed across up to two DMAC modules. The existing implementation fails to accommodate these variations, leading to wrong channel offset calculations [1].

The vulnerability manifests when the driver computes base addresses for DMA channels. The incorrect offset can cause out-of-bounds access or misaligned register writes, potentially leading to a kernel panic. An attacker with local access to trigger DMA operations could exploit this bug [2].

The impact is a denial of service via kernel panic. Given that the SH architecture is primarily used in embedded systems, physical or local access is typically required. The vulnerability does not appear to allow privilege escalation beyond crashing the system.

Patches have been applied to the Linux kernel stable tree, correcting the dma_base_addr() function and the dmaor_read_reg()/dmaor_write_reg() functions to select the correct DMAC module base. Users should update to the latest stable kernel version containing these fixes [3].