2266341 – (CVE-2023-52469) CVE-2023-52469 kernel: use-after-free in kv_parse_power_table

Bug 2266341 (CVE-2023-52469) - CVE-2023-52469 kernel: use-after-free in kv_parse_power_table

Summary: CVE-2023-52469 kernel: use-after-free in kv_parse_power_table

Keywords:
Status:	NEW
Alias:	CVE-2023-52469
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2266343
Blocks:	2266208
TreeView+	depends on / blocked

Reported:	2024-02-27 16:34 UTC by Rohit Keshri
Modified:	2024-03-17 17:17 UTC (History)
CC List:	49 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in kv_parse_power_table in drivers/amd/pm in the Linux kernel. When ps equals NULL, kv_parse_power_table frees adev->pm.dpm.ps. The adev->pm.dpm.ps is used in the loop of kv_dpm_fini after its first free in kv_parse_power_table, causing a use-after-free problem.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-02-27 16:34:09 UTC

In the Linux kernel, the following vulnerability has been resolved:

drivers/amd/pm: fix a use-after-free in kv_parse_power_table

When ps allocated by kzalloc equals to NULL, kv_parse_power_table
frees adev->pm.dpm.ps that allocated before. However, after the control
flow goes through the following call chains:

kv_parse_power_table
  |-> kv_dpm_init
        |-> kv_dpm_sw_init
	      |-> kv_dpm_fini

The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
first free in kv_parse_power_table and causes a use-after-free bug.

https://git.kernel.org/stable/c/28dd788382c43b330480f57cd34cde0840896743
https://git.kernel.org/stable/c/3426f059eacc33ecc676b0d66539297e1cfafd02
https://git.kernel.org/stable/c/35fa2394d26e919f63600ce631e6aefc95ec2706
https://git.kernel.org/stable/c/520e213a0b97b64735a13950e9371e0a5d7a5dc3
https://git.kernel.org/stable/c/8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e
https://git.kernel.org/stable/c/8b55b06e737feb2a645b0293ea27e38418876d63
https://git.kernel.org/stable/c/95084632a65d5c0d682a83b55935560bdcd2a1e3
https://git.kernel.org/stable/c/b6dcba02ee178282e0d28684d241e0b8462dea6a

Comment 1 Rohit Keshri 2024-02-27 16:44:04 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266343]

Comment 4 Justin M. Forbes 2024-02-27 18:51:54 UTC

This was fixed for Fedora with the 6.6.14 stable kernel update.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
aquini
bhu
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
esandeen
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lzampier
mleitner
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
sukulkar
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang