CVE-2023-54304

Vulnerability

CVE-2023-54304 is a NULL pointer dereference vulnerability in the Linux kernel's meson_sm firmware driver. The root cause is that the function of_match_device() can return a NULL pointer, but the driver does not check the return value before using it. This oversight can lead to a NULL pointer dereference when the driver attempts to access the device match structure.

Exploitation

An attacker would need to trigger the code path where of_match_device() fails. This typically requires a crafted device tree or a system configuration where the driver is loaded without a matching device entry. No special privileges are needed beyond the ability to trigger driver probing, which can occur during system boot or when a device is hotplugged.

Impact

A successful exploitation results in a NULL pointer dereference, which causes a kernel panic (system crash). This is a denial-of-service (DoS) condition. The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information.

Mitigation

The fix has been applied to the Linux kernel stable tree in commits [1], [2], and [3]. Users should update their kernel to a version that includes these patches. No workaround is available other than applying the patch.