AZL-54821

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-54821.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-54821

Upstream

CVE-2023-52749

Published

2024-05-21T16:15:14Z

Modified

2026-04-01T05:18:24.651997Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2023-52749 affecting package kernel 5.15.200.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

spi: Fix null dereference on suspend

A race condition exists where a synchronous (noqueue) transfer can be active during a system suspend. This can cause a null pointer dereference exception to occur when the system resumes.

Example order of events leading to the exception: 1. spi_sync() calls __spitransfermessagenoqueue() which sets ctlr->curmsg 2. Spi transfer begins via spitransferonemessage() 3. System is suspended interrupting the transfer context 4. System is resumed 6. spicontrollerresume() calls spistartqueue() which resets curmsg to NULL 7. Spi transfer context resumes and spifinalizecurrentmessage() is called which dereferences curmsg (which is now NULL)

Wait for synchronous transfers to complete before suspending by acquiring the bus mutex and setting/checking a suspend flag.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-52749

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.15.200.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-54821.json"