Linux Kernel up to 6.7.1 on AMD PM Driver kv_parse_power_table use after free

Summaryinfo

A vulnerability marked as problematic has been reported in Linux Kernel up to 6.7.1 on AMD. This affects the function kv_parse_power_table of the component PM Driver. This manipulation causes use after free. This vulnerability appears as CVE-2023-52469. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Linux Kernel up to 6.7.1 on AMD (Operating System) and classified as problematic. Affected by this vulnerability is the function kv_parse_power_table of the component PM Driver. The manipulation with an unknown input leads to a use after free vulnerability. The CWE definition for the vulnerability is CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug.

The weakness was presented 02/25/2024. The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2023-52469 since 02/20/2024. Technical details are known, but no exploit is available.

Upgrading to version 4.19.306, 5.4.268, 5.10.209, 5.15.148, 6.1.75, 6.6.14, 6.7.2 or 6.8-rc1 eliminates this vulnerability. Applying the patch 8a27d9d9fc9b/8b55b06e737f/520e213a0b97/b6dcba02ee17/35fa2394d26e/95084632a65d/3426f059eacc/28dd788382c4 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 4.19.305
• 5.4.267
• 5.10.208
• 5.15.147
• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7
• 6.1.8
• 6.1.9
• 6.1.10
• 6.1.11
• 6.1.12
• 6.1.13
• 6.1.14
• 6.1.15
• 6.1.16
• 6.1.17
• 6.1.18
• 6.1.19
• 6.1.20
• 6.1.21
• 6.1.22
• 6.1.23
• 6.1.24
• 6.1.25
• 6.1.26
• 6.1.27
• 6.1.28
• 6.1.29
• 6.1.30
• 6.1.31
• 6.1.32
• 6.1.33
• 6.1.34
• 6.1.35
• 6.1.36
• 6.1.37
• 6.1.38
• 6.1.39
• 6.1.40
• 6.1.41
• 6.1.42
• 6.1.43
• 6.1.44
• 6.1.45
• 6.1.46
• 6.1.47
• 6.1.48
• 6.1.49
• 6.1.50
• 6.1.51
• 6.1.52
• 6.1.53
• 6.1.54
• 6.1.55
• 6.1.56
• 6.1.57
• 6.1.58
• 6.1.59
• 6.1.60
• 6.1.61
• 6.1.62
• 6.1.63
• 6.1.64
• 6.1.65
• 6.1.66
• 6.1.67
• 6.1.68
• 6.1.69
• 6.1.70
• 6.1.71
• 6.1.72
• 6.1.73
• 6.1.74
• 6.6.0
• 6.6.1
• 6.6.2
• 6.6.3
• 6.6.4
• 6.6.5
• 6.6.6
• 6.6.7
• 6.6.8
• 6.6.9
• 6.6.10
• 6.6.11
• 6.6.12
• 6.6.13
• 6.7.0
• 6.7.1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion