CVE-2023-54198 (GCVE-0-2023-54198)
Vulnerability from cvelistv5
Published
2025-12-30 12:09
Modified
2025-12-30 12:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: fix out-of-bounds access in tty_driver_lookup_tty()
When specifying an invalid console= device like console=tty3270,
tty_driver_lookup_tty() returns the tty struct without checking
whether index is a valid number.
To reproduce:
qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \
-kernel ../linux-build-x86/arch/x86/boot/bzImage \
-append "console=ttyS0 console=tty3270"
This crashes with:
[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef
[ 0.771265] #PF: supervisor read access in kernel mode
[ 0.771773] #PF: error_code(0x0000) - not-present page
[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI
[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0
[ 0.784013] chrdev_open+0xbd/0x230
[ 0.784444] ? cdev_device_add+0x80/0x80
[ 0.784920] do_dentry_open+0x1e0/0x410
[ 0.785389] path_openat+0xca9/0x1050
[ 0.785813] do_filp_open+0xaa/0x150
[ 0.786240] file_open_name+0x133/0x1b0
[ 0.786746] filp_open+0x27/0x50
[ 0.787244] console_on_rootfs+0x14/0x4d
[ 0.787800] kernel_init_freeable+0x1e4/0x20d
[ 0.788383] ? rest_init+0xc0/0xc0
[ 0.788881] kernel_init+0x11/0x120
[ 0.789356] ret_from_fork+0x22/0x30
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df6f492f500a16c231f07ccc6f6ed1302caddf9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b79109d6470aaae7062998353e3a19449055829d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "953a4a352a0c185460ae1449e4c6e6658e55fdfc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84ea44dc3e4ecb2632586238014bf6722aa5843b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9d9d25ad1f0d060eaf297a2f7f03b5855a45561",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "765566110eb0da3cf60198b0165ecceeaafa6444",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fcfeaa570f7a5c2d5f4f14931909531ff18b7fde",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db4df8e9d79e7d37732c1a1b560958e8dadfefa1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\n\nWhen specifying an invalid console= device like console=tty3270,\ntty_driver_lookup_tty() returns the tty struct without checking\nwhether index is a valid number.\n\nTo reproduce:\n\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\n-append \"console=ttyS0 console=tty3270\"\n\nThis crashes with:\n\n[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\n[ 0.771265] #PF: supervisor read access in kernel mode\n[ 0.771773] #PF: error_code(0x0000) - not-present page\n[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0\n[ 0.784013] chrdev_open+0xbd/0x230\n[ 0.784444] ? cdev_device_add+0x80/0x80\n[ 0.784920] do_dentry_open+0x1e0/0x410\n[ 0.785389] path_openat+0xca9/0x1050\n[ 0.785813] do_filp_open+0xaa/0x150\n[ 0.786240] file_open_name+0x133/0x1b0\n[ 0.786746] filp_open+0x27/0x50\n[ 0.787244] console_on_rootfs+0x14/0x4d\n[ 0.787800] kernel_init_freeable+0x1e4/0x20d\n[ 0.788383] ? rest_init+0xc0/0xc0\n[ 0.788881] kernel_init+0x11/0x120\n[ 0.789356] ret_from_fork+0x22/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:09:04.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9"
},
{
"url": "https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d"
},
{
"url": "https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc"
},
{
"url": "https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b"
},
{
"url": "https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561"
},
{
"url": "https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444"
},
{
"url": "https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde"
},
{
"url": "https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1"
}
],
"title": "tty: fix out-of-bounds access in tty_driver_lookup_tty()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54198",
"datePublished": "2025-12-30T12:09:04.229Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:09:04.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54198\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:07.877\",\"lastModified\":\"2025-12-30T13:16:07.877\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\\n\\nWhen specifying an invalid console= device like console=tty3270,\\ntty_driver_lookup_tty() returns the tty struct without checking\\nwhether index is a valid number.\\n\\nTo reproduce:\\n\\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\\\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\\\\n-append \\\"console=ttyS0 console=tty3270\\\"\\n\\nThis crashes with:\\n\\n[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\\n[ 0.771265] #PF: supervisor read access in kernel mode\\n[ 0.771773] #PF: error_code(0x0000) - not-present page\\n[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\\n[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0\\n[ 0.784013] chrdev_open+0xbd/0x230\\n[ 0.784444] ? cdev_device_add+0x80/0x80\\n[ 0.784920] do_dentry_open+0x1e0/0x410\\n[ 0.785389] path_openat+0xca9/0x1050\\n[ 0.785813] do_filp_open+0xaa/0x150\\n[ 0.786240] file_open_name+0x133/0x1b0\\n[ 0.786746] filp_open+0x27/0x50\\n[ 0.787244] console_on_rootfs+0x14/0x4d\\n[ 0.787800] kernel_init_freeable+0x1e4/0x20d\\n[ 0.788383] ? rest_init+0xc0/0xc0\\n[ 0.788881] kernel_init+0x11/0x120\\n[ 0.789356] ret_from_fork+0x22/0x30\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…