Bug 2168251 (CVE-2023-3359) - CVE-2023-3359 kernel: brcm_nvram_parse in drivers/nvmem/brcm_nvram.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference
Summary: CVE-2023-3359 kernel: brcm_nvram_parse in drivers/nvmem/brcm_nvram.c lacks ch...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-3359
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2167953
TreeView+ depends on / blocked
 
Reported: 2023-02-08 15:15 UTC by Alex
Modified: 2023-07-31 08:10 UTC (History)
23 users (show)

Fixed In Version: kernel 6.1-rc8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s brcm_nvram_parse in drivers/nvmem/brcm_nvram.c. This issue lacks checking the return value of kzalloc(), which can cause a NULL pointer dereference issue.
Clone Of:
Environment:
Last Closed: 2023-02-10 09:17:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-02-08 15:15:47 UTC 
An issue was discovered in the Linux kernel through 6.1-rc8.
brcm_nvram_parse in drivers/nvmem/brcm_nvram.c
lacks check of the return value of kzalloc() and will
cause the NULL Pointer Dereference.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b0576ade3aaf24b376ea1a4406ae138e2a22b0c0
Comment 4 Alex 2023-06-28 16:44:48 UTC 
Memory allocations with the GFP_KERNEL should not be considered as CVE if alloc small amount of memory (based on
"
GFP_KERNEL - both background and direct reclaim are allowed and the default page allocator behavior is used. That means that not costly allocation requests are basically no-fail but there is no guarantee of that behavior so failures have to be checked properly by callers (e.g. OOM killer victim is allowed to fail currently).
",
and for more info see: https://lwn.net/Articles/627419/ ).

However, particular for this CVE I'm not sure if always small amount of memory request, so it is just in case as potential security issue.
Comment 5 Jan Pazdziora 2023-07-26 11:16:31 UTC 
Hello Alex,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE.

Could you update the CVE page https://access.redhat.com/security/cve/CVE-2023-3359 with some publicly facing statement why we consider all RHELs as not affected? Especially given the

  https://www.kernel.org/doc/html/next/core-api/memory-allocation.html

that you quoted in comment 4 says that "... but there is no guarantee of that behavior so failures have to be checked properly by callers".

Thank you, Jan
Comment 6 Alex 2023-07-30 12:55:37 UTC 
In reply to comment #5:
> Hello Alex,
> 
> while doing review of the Vulnerability Assessment report of RHEL 8.6 for
> the purpose of Common Criteria certification, we came across this CVE.
> 
> Could you update the CVE page
> https://access.redhat.com/security/cve/CVE-2023-3359 with some publicly
> facing statement why we consider all RHELs as not affected? Especially given
> the
> 
>   https://www.kernel.org/doc/html/next/core-api/memory-allocation.html
> 
> that you quoted in comment 4 says that "... but there is no guarantee of
> that behavior so failures have to be checked properly by callers".
> 
> Thank you, Jan

Added statement (that "CONFIG_NVMEM_BRCM_NVRAM disabled for all versions of the Red Hat Enterprise Linux").
Comment 7 Jan Pazdziora 2023-07-31 08:10:16 UTC 
Perfect, thank you.
Note You need to log in before you can comment on or make changes to this bug.