CVE-2023-54198

In the Linux kernel, the following vulnerability has been resolved:

tty: fix out-of-bounds access in ttydriverlookup_tty()

When specifying an invalid console= device like console=tty3270, ttydriverlookup_tty() returns the tty struct without checking whether index is a valid number.

To reproduce:

qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270"

This crashes with:

[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: errorcode(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:ttyopen+0x268/0x6f0 [ 0.784013] chrdevopen+0xbd/0x230 [ 0.784444] ? cdevdeviceadd+0x80/0x80 [ 0.784920] dodentryopen+0x1e0/0x410 [ 0.785389] pathopenat+0xca9/0x1050 [ 0.785813] dofilpopen+0xaa/0x150 [ 0.786240] fileopenname+0x133/0x1b0 [ 0.786746] filpopen+0x27/0x50 [ 0.787244] consoleonrootfs+0x14/0x4d [ 0.787800] kernelinitfreeable+0x1e4/0x20d [ 0.788383] ? restinit+0xc0/0xc0 [ 0.788881] kernelinit+0x11/0x120 [ 0.789356] retfrom_fork+0x22/0x30