CVE-2023-54298

Vulnerability

Details

The vulnerability resides in the Intel Quark DTS (Digital Thermal Sensor) thermal driver in the Linux kernel. When the alloc_soc_dts() function fails, the driver attempts to free the soc_dts pointer, which is an error pointer. This results in a null pointer dereference or an invalid memory access, leading to a kernel Oops [1][2][3][4].

Exploitation

The bug is triggered when memory allocation for the thermal sensor data structure fails. This can occur under low memory conditions or if the system is under memory pressure. No special privileges are required beyond the ability to trigger the driver's initialization, which typically happens during boot or when the thermal subsystem is loaded. An attacker with local access could potentially force memory exhaustion to trigger this condition, causing a denial of service.

Impact

Successful exploitation results in a kernel panic (Oops), causing a system crash and denial of service. This can disrupt operations on systems using the Intel Quark SoC, which is often found in embedded and IoT devices.

Mitigation

The fix has been applied to the Linux kernel stable branches [1][2][3][4]. Users are advised to update their kernels to the latest stable version that includes the patch. No workaround is available other than applying the kernel update.