CVE-2023-52449

Summary

CVE-2023-52449: A Linux kernel vulnerability has been identified and addressed. This issue affects the mtd (Mass-Storage Driver for Linux) subsystem, specifically in the interaction between the ftl and gluebi modules. When both ftl.ko and gluebi.ko are loaded, a NULL pointer dereference occurs due to an access of 'gluebi->desc' in gluebi_read(). This occurs because the gluebi_get_device() function is not called in the normal sequence, leading to 'gluebi->desc' being NULL. To mitigate this issue, it is recommended to use jffs2 on UBI volumes without involving ftl or mtdblock, thus preventing the creation of an mtdblock device after creating an mtd partition of type MTD_UBIVOLUME. [ 1: Detailed reproduction information is available at [link] 2: For more information on using jffs2 without ftl or mtdblock, refer to [link] ] In essence, CVE-2023-52449 is a Linux kernel vulnerability involving the mtd subsystem, specifically the interaction between the ftl and gluebi modules. When both modules are loaded, a NULL pointer dereference occurs during the gluebi_read() function due to the 'gluebi->desc' variable being NULL. This issue arises because the gluebi_get_device() function is not called in the expected order during the mtd partition creation process. To mitigate this issue, it is advisable to use jffs2 on UBI volumes without involving ftl or mtdblock, thus preventing the creation of an mtdblock device following the creation of an mtd partition of type MTD_UBIVOLUME. [ 1: For detailed reproduction steps, please refer to [link] 2: For more information on using jffs2 without ftl or mtdblock, consult [link] ]

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.