Bug 1225474 (CVE-2023-52802)

Summary: VUL-0: REJECTED: CVE-2023-52802: kernel: iio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, ivan.ivanov, jlee, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/407114/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52802:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-28 11:53:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

iio: adc: stm32-adc: harden against NULL pointer deref in stm32_adc_probe()

of_match_device() may fail and returns a NULL pointer.

In practice there is no known reasonable way to trigger this, but
in case one is added in future, harden the code by adding the check

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52802
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2023/CVE-2023-52802.mbox
https://git.kernel.org/stable/c/b80aaff5f7817d50798ac61ed75973f004dd5202
https://git.kernel.org/stable/c/b028f89c56e964a22d3ddb8eab1a0e7e980841b9
https://git.kernel.org/stable/c/5b82e4240533bcd4691e50b64ec86d0d7fbd21b9
https://git.kernel.org/stable/c/3a23b384e7e3d64d5587ad10729a34d4f761517e
https://www.cve.org/CVERecord?id=CVE-2023-52802
https://bugzilla.redhat.com/show_bug.cgi?id=2282620
Comment 3 Ivan Ivanov 2024-06-05 06:19:47 UTC 
I could argue this is bug or CVE at all. Look at the commit message:

"
In practice there is no known reasonable way to trigger this, but
in case one is added in future, harden the code by adding the check
"
Comment 4 Ivan Ivanov 2024-06-05 14:51:48 UTC 
Asked about this upstream [1]

[1] https://lore.kernel.org/all/20240605145123.78220-1-iivanov@suse.de/
Comment 5 Ivan Ivanov 2024-06-10 06:28:03 UTC 
Now rejected. https://nvd.nist.gov/vuln/detail/CVE-2023-52802

Back to security team.
Comment 7 Robert Frohl 2024-06-10 07:10:07 UTC 
closing