CVE-2023-54058 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_ffa: Check if ffa_driver remove is present before executing
Currently ffa_drv->remove() is called unconditionally from ffa_device_remove(). Since the driver registration doesn't check for it and allows it to be registered without .remove callback, we need to check for the presence of it before executing it from ffa_device_remove() to above a NULL pointer dereference like the one below:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000086000004 | EC = 0x21: IABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
| CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 | Hardware name: FVP Base RevC (DT) | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) | pc : 0x0 | lr : ffa_device_remove+0x20/0x2c | Call trace: | 0x0 | device_release_driver_internal+0x16c/0x260 | driver_detach+0x90/0xd0 | bus_remove_driver+0xdc/0x11c | driver_unregister+0x30/0x54 | ffa_driver_unregister+0x14/0x20 | cleanup_module+0x18/0xeec | __arm64_sys_delete_module+0x234/0x378 | invoke_syscall+0x40/0x108 | el0_svc_common+0xb4/0xf0 | do_el0_svc+0x30/0xa4 | el0_svc+0x2c/0x7c | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x190/0x194
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/30/2025
The vulnerability identified as CVE-2023-54058 resides within the Linux kernel's firmware handling subsystem, specifically in the arm_ffa driver implementation. This issue manifests as a potential NULL pointer dereference that can lead to system crashes and instability. The flaw occurs in the device removal process where the kernel attempts to execute a driver's remove callback without proper validation of its existence. The arm_ffa subsystem is designed to facilitate communication between different firmware components in arm64 architectures, particularly in virtualized environments using Firmware Framework Architecture. The vulnerability stems from insufficient validation during the driver removal sequence, creating a scenario where the kernel tries to invoke a function pointer that may be NULL, resulting in an immediate system crash.
The technical root cause of this vulnerability can be traced to the improper handling of driver callback functions within the firmware framework. When a driver is unregistered, the ffa_device_remove function is called to clean up device resources, but it directly invokes ffa_drv->remove() without first checking whether this callback function pointer has been properly initialized. This pattern violates fundamental safety practices in kernel development where all function pointers must be validated before execution. The specific error condition occurs during module cleanup when rmmod attempts to remove the ffa driver, triggering the NULL pointer dereference at virtual address zero. According to CWE-476, this represents a NULL pointer dereference vulnerability that can be exploited to cause a denial of service or potentially escalate privileges in certain scenarios.
The operational impact of this vulnerability extends beyond simple system crashes, as it can affect the stability of embedded systems and virtualized environments that rely heavily on firmware communication mechanisms. Systems utilizing ARM Firmware Framework Architecture components, particularly those running kernel versions that include this code path, are at risk of experiencing unexpected kernel oops conditions and system panics during driver unregistration processes. The vulnerability is particularly concerning in production environments where firmware drivers are frequently loaded and unloaded, as it can lead to service disruptions and system instability. The crash pattern described in the kernel log shows a clear indication of the problem, with the call trace demonstrating that the error originates from ffa_device_remove attempting to execute a NULL function pointer, which is a classic symptom of improper callback validation.
Mitigation strategies for this vulnerability should focus on implementing proper null pointer checks before invoking driver callbacks. The fix involves modifying the ffa_device_remove function to verify that the remove callback exists before attempting to execute it, thereby preventing the NULL pointer dereference. This approach aligns with the principle of defensive programming and follows established kernel development practices for handling optional callback functions. System administrators should ensure that affected systems are updated with patched kernel versions that implement this validation check. Additionally, monitoring systems should be configured to detect unusual driver unloading patterns that might indicate exploitation attempts. The fix demonstrates the importance of proper error handling in kernel space, where even seemingly minor oversights can lead to critical system failures. Organizations should also consider implementing automated patch management processes to ensure timely deployment of security updates, particularly for embedded systems and virtualized environments where firmware communication is critical to system operation. This vulnerability highlights the need for comprehensive testing of driver callback mechanisms and proper validation of all function pointer invocations in kernel code, as specified in various security standards and best practices for kernel development and maintenance.