CVE-2023-54307

Root

Cause In the Linux kernel's ptp_qoriq driver, the probe function calls ioremap() to map device memory into 'base'. However, on an early error path (when ptp_qoriq_init() returns -ENODEV), the function failed to release the ioremap() mapping by calling iounmap() on the local variable 'base', instead using ptp_qoriq->base which is still NULL at that point. This led to a memory leak of the mapped region.

Exploitation

The vulnerability is local, requiring access to the system to trigger the affected hardware probing. No authentication is needed beyond local user access to cause the device probe to fail on that specific error path. The attack surface is limited to systems using the QorIQ PTP hardware and loading the driver.

Impact

An attacker with local access could repeatedly trigger the leak, exhausting kernel memory and potentially leading to denial of service. However, the leak occurs only on a specific error path, making exploitation less likely in normal operation.

Mitigation

The fix has been applied to the Linux kernel stable branches via commits [1] and [2]. Users should update to the latest kernel version containing these patches.