{ "threat_severity" : "Low", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: driver core: fix potential null-ptr-deref in device_add()", "id" : "2426138", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426138" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndriver core: fix potential null-ptr-deref in device_add()\nI got the following null-ptr-deref report while doing fault injection test:\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n\nklist_remove+0xf1/0x1c0\ndevice_release_driver_internal+0x196/0x210\nbus_remove_device+0x1bd/0x240\ndevice_add+0xd3d/0x1100\nw1_add_master_device+0x476/0x490 [wire]\nds2482_probe+0x303/0x3e0 [ds2482]\nThis is how it happened:\nw1_alloc_dev()\n// The dev->driver is set to w1_master_driver.\nmemcpy(&dev->dev, device, sizeof(struct device));\ndevice_add()\nbus_add_device()\ndpm_sysfs_add() // It fails, calls bus_remove_device.\n// error path\nbus_remove_device()\n// The dev->driver is not null, but driver is not bound.\n__device_release_driver()\nklist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.\n// normal path\nbus_probe_device() // It's not called yet.\ndevice_bind_driver()\nIf dev->driver is set, in the error path after calling bus_add_device()\nin device_add(), bus_remove_device() is called, then the device will be\ndetached from driver. But device_bind_driver() is not called yet, so it\ncauses null-ptr-deref while access the 'knode_driver'. To fix this, set\ndev->driver to null in the error path before calling bus_remove_device().", "A NULL pointer dereference was found in the driver core's device_add() function. When dpm_sysfs_add() fails after bus_add_device() succeeds, the error path attempts to remove the driver binding that was never completed, causing a crash." ], "statement" : "This crash requires device registration to fail at a specific point, typically due to sysfs errors or resource exhaustion. The affected code path is in core driver infrastructure but requires unusual failure conditions.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54321\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54321\nhttps://lore.kernel.org/linux-cve-announce/2025123022-CVE-2023-54321-b87f@gregkh/T" ], "name" : "CVE-2023-54321", "csaw" : false }