2169343 – (CVE-2023-3358) CVE-2023-3358 kernel: shtp_cl_get_dma_send_buf in drivers/hid/intel-ish-hid/ishtp/dma-if.c lacks check of the return value of kcalloc() and will cause the NULL Pointer Dereference

Bug 2169343 (CVE-2023-3358) - CVE-2023-3358 kernel: shtp_cl_get_dma_send_buf in drivers/hid/intel-ish-hid/ishtp/dma-if.c lacks check of the return value of kcalloc() and will cause the NULL Pointer Dereference

Summary: CVE-2023-3358 kernel: shtp_cl_get_dma_send_buf in drivers/hid/intel-ish-hid/i...

Keywords:
Status:	NEW
Alias:	CVE-2023-3358
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2169345 2169347 2169344 2169346 2169348
Blocks:	2167953
TreeView+	depends on / blocked

Reported:	2023-02-13 11:30 UTC by Alex
Modified:	2023-07-07 08:32 UTC (History)
CC List:	36 users (show)
Fixed In Version:	kernel 6.1-rc8
Doc Type:	If docs needed, set a value
Doc Text:	A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Alex 2023-02-13 11:30:41 UTC

An issue was discovered in the Linux kernel through 6.1-rc8.
ishtp_cl_get_dma_send_buf in drivers/hid/intel-ish-hid/ishtp/dma-if.c
lacks check of the return value of kcalloc() and will cause the
NULL Pointer Dereference.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8

Comment 1 Alex 2023-02-13 11:31:10 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2169344]

Comment 4 Justin M. Forbes 2023-03-01 19:27:52 UTC

This was fixed for Fedora with the 6.1.9 stable kernel updates.

Comment 10 Alex 2023-06-28 16:44:12 UTC

Memory allocations with the GFP_KERNEL should not be considered as CVE if alloc small amount of memory (based on
"
GFP_KERNEL - both background and direct reclaim are allowed and the default page allocator behavior is used. That means that not costly allocation requests are basically no-fail but there is no guarantee of that behavior so failures have to be checked properly by callers (e.g. OOM killer victim is allowed to fail currently).
",
and for more info see: https://lwn.net/Articles/627419/ ).

However, particular for this CVE I'm not sure if always small amount of memory request, so it is just in case as potential security issue.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
bhu
chwhite
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
fhrbata
hkrzesin
jarod
jburrell
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
qzhao
rogbas
rvrbovsk
scweaver
swood
tyberry
vkumar
walters
williams