CVE-2023-52449

Disclosure Date: February 22, 2024 •

CVE-2023-52449 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
ubi_register_volume_notifier

ubi_enumerate_volumes
  ubi_notify_all
    gluebi_notify    nb->notifier_call()
      gluebi_create
        mtd_device_register
          mtd_device_parse_register
            add_mtd_device
              blktrans_notify_add   not->add()
                ftl_add_mtd         tr->add_mtd()
                  scan_header
                    mtd_read
                      mtd_read_oob
                        mtd_read_oob_std
                          gluebi_read   mtd->read()
                            gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.