ghsa-39rg-6496-pf73
Vulnerability from github
Published
2025-12-30 15:30
Modified
2025-12-30 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

tty: fix out-of-bounds access in tty_driver_lookup_tty()

When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number.

To reproduce:

qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270"

This crashes with:

[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54198"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:07Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\n\nWhen specifying an invalid console= device like console=tty3270,\ntty_driver_lookup_tty() returns the tty struct without checking\nwhether index is a valid number.\n\nTo reproduce:\n\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\n-append \"console=ttyS0 console=tty3270\"\n\nThis crashes with:\n\n[    0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\n[    0.771265] #PF: supervisor read access in kernel mode\n[    0.771773] #PF: error_code(0x0000) - not-present page\n[    0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\n[    0.774878] RIP: 0010:tty_open+0x268/0x6f0\n[    0.784013]  chrdev_open+0xbd/0x230\n[    0.784444]  ? cdev_device_add+0x80/0x80\n[    0.784920]  do_dentry_open+0x1e0/0x410\n[    0.785389]  path_openat+0xca9/0x1050\n[    0.785813]  do_filp_open+0xaa/0x150\n[    0.786240]  file_open_name+0x133/0x1b0\n[    0.786746]  filp_open+0x27/0x50\n[    0.787244]  console_on_rootfs+0x14/0x4d\n[    0.787800]  kernel_init_freeable+0x1e4/0x20d\n[    0.788383]  ? rest_init+0xc0/0xc0\n[    0.788881]  kernel_init+0x11/0x120\n[    0.789356]  ret_from_fork+0x22/0x30",
  "id": "GHSA-39rg-6496-pf73",
  "modified": "2025-12-30T15:30:31Z",
  "published": "2025-12-30T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54198"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.