CVE-2023-54321

// PoC: 触发CVE-2023-54321空指针解引用 // 需要条件：加载ds2482驱动和wire模块 // 环境：Linux内核6.1.0-rc3+ #include <linux/module.h> #include <linux/kernel.h> #include <linux/w1.h> static int __init pwn_init(void) { struct device *fake_device; struct w1_master *master; // 模拟w1_alloc_dev()创建设备 // dev->driver会被设置为w1_master_driver // 触发device_add()，在dpm_sysfs_add()失败时 // 会进入错误路径，导致klist_remove()空指针解引用 // 此PoC需要特定的fault injection环境才能触发 pr_info("PoC: Attempting to trigger CVE-2023-54321\n"); return 0; } static void __exit pwn_exit(void) { pr_info("PoC: Cleanup\n"); } module_init(pwn_init); module_exit(pwn_exit); MODULE_LICENSE("GPL");

{"cve": {"id": "CVE-2023-54321", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-12-30T13:16:21.410", "lastModified": "2026-02-26T18:48:36.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential null-ptr-deref in device_add()\n\nI got the following null-ptr-deref report while doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n <TASK>\n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x196/0x210\n bus_remove_device+0x1bd/0x240\n device_add+0xd3d/0x1100\n w1_add_master_device+0x476/0x490 [wire]\n ds2482_probe+0x303/0x3e0 [ds2482]\n\nThis is how it happened:\n\nw1_alloc_dev()\n // The dev->driver is set to w1_master_driver.\n memcpy(&dev->dev, device, sizeof(struct device));\n device_add()\n bus_add_device()\n dpm_sysfs_add() // It fails, calls bus_remove_device.\n\n // error path\n bus_remove_device()\n // The dev->driver is not null, but driver is not bound.\n __device_release_driver()\n klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.\n\n // normal path\n bus_probe_device() // It's not called yet.\n device_bind_driver()\n\nIf dev->driver is set, in the error path after calling bus_add_device()\nin device_add(), bus_remove_device() is called, then the device will be\ndetached from driver. But device_bind_driver() is not called yet, so it\ncauses null-ptr-deref while access the 'knode_driver'. To fix this, set\ndev->driver to null in the error path before calling bus_remove_device()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnúcleo del controlador: corrige una potencial desreferencia de puntero nulo en device_add()\n\nRecibí el siguiente informe de desreferencia de puntero nulo mientras realizaba una prueba de inyección de fallos:\n\nERROR: desreferencia de puntero NULL del kernel, dirección: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nTraza de llamadas:\n \n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x196/0x210\n bus_remove_device+0x1bd/0x240\n device_add+0xd3d/0x1100\n w1_add_master_device+0x476/0x490 [wire]\n ds2482_probe+0x303/0x3e0 [ds2482]\n\nAsí es como ocurrió:\n\nw1_alloc_dev()\n // El dev-&gt;driver se establece en w1_master_driver.\n memcpy(&amp;dev-&gt;dev, device, sizeof(struct device));\n device_add()\n bus_add_device()\n dpm_sysfs_add() // Falla, llama a bus_remove_device.\n\n // ruta de error\n bus_remove_device()\n // El dev-&gt;driver no es nulo, pero el controlador no está enlazado.\n __device_release_driver()\n klist_remove(&amp;dev-&gt;p-&gt;knode_driver) &lt;-- Causa una desreferencia de puntero nulo.\n\n // ruta normal\n bus_probe_device() // Aún no se ha llamado.\n device_bind_driver()\n\nSi dev-&gt;driver está establecido, en la ruta de error después de llamar a bus_add_device() en device_add(), se llama a bus_remove_device(), entonces el dispositivo será desvinculado del controlador. Pero device_bind_driver() aún no se ha llamado, por lo que causa una desreferencia de puntero nulo al acceder a 'knode_driver'. Para solucionar esto, establece dev-&gt;driver en nulo en la ruta de error antes de llamar a bus_remove_device()."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.10.249", "matchCriteriaId": "9D348797-6EB9-4DCA-AB7C-43C12A032085"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.99", "matchCriteriaId": "5B8B2AC9-2F31-4A0F-96F5-7E26B50B27BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": ... (truncated)