From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C7B5D2E5B19 for ; Wed, 1 Oct 2025 11:54:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759319694; cv=none; b=KjqjnwN7lG4vfLw5cc8EBon3TtZ3zNiQ/J/u0OWwd9NMRUrZZ+h6XVghrGk8IYrIs/316OBDC9BpuFKoEEDhlLUHVkKert4B90ulD1T/9V2RS2hq6rSF3/nvYDqhCGamjCNuWUocADfsNP4yqYwVd9spDsOOEnpT58lhw7bPkJc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759319694; c=relaxed/simple; bh=FizhN7tdPYZzToLcVwOKYaTYwb+ZgFWUn3cpYFuwl9A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Z4R9/4uXIHewgnd6RnmHC3KukC3zg4RpZ9mBSpzdyZZ8Gf5rBzO8dohjsU3649tjcYL+lEYzu0dyBUqImj/jRoFimR4O+3z/uGBEhcKMyzx1iwxqQsL1iV4VZluopvE+qhVo3A+P34PwJRu28OdzKpEVhqQbr4JNiriyMPiviNA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=cbr4k+e7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="cbr4k+e7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 38C2BC4CEF4; Wed, 1 Oct 2025 11:54:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1759319694; bh=FizhN7tdPYZzToLcVwOKYaTYwb+ZgFWUn3cpYFuwl9A=; h=From:To:Cc:Subject:Date:Reply-to:From; b=cbr4k+e7GVNDI3fY0JdYxgsmLN/GtRds/p3nfTUn1CDKkAXO1y6yYZqvByZUydUbs vRP1Ir1Fb6oG0zKW/xLk9rcGmyZywJJ6YiTFVxkaa7IftufqMlT8ENpYQnxWzeQN5p n7XUxq7oJxCH5l7lmC6EUvE38e+zPPtwmprwk7Q8= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-53451: scsi: qla2xxx: Fix potential NULL pointer dereference Date: Wed, 1 Oct 2025 13:42:21 +0200 Message-ID: <2025100103-CVE-2023-53451-bb02@gregkh> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=2604; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=qf6po6ZnYOGyH3hB95VQngAWlLl3VLH0KToAqkMFLsE=; b=owGbwMvMwCRo6H6F97bub03G02pJDBl3hbt19/b4TjKYHvZ47Q7bBz2rL9qGsrrf3nr78zOfF 19frr/3oyOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAmkr+YYa6c6Y+yAxfi5pdU O1Ulhq40iQg1ecWw4Lj5Thf3zvkvTeydNlclvpI9kuAfAgA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix potential NULL pointer dereference Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate pointer before dereferencing the pointer. The Linux kernel CVE team has assigned CVE-2023-53451 to this issue. Affected and fixed versions =========================== Fixed in 4.14.322 with commit 02405f4023866ae91a611b5b85cb2e074ec2de5a Fixed in 4.19.291 with commit ee4c9a93238b9ce3703942500cb1aeacf77090d2 Fixed in 5.4.251 with commit 4f90a8b0481615622bd0558aa8cf361bea872045 Fixed in 5.10.188 with commit 2bea9c1c983152c5411f5a2f1113cb790ce1389d Fixed in 5.15.121 with commit 5a52a2e14fe866541bbc0033058e44bf0bf0c580 Fixed in 6.1.40 with commit ce2cdbe530b0066bae1f98dbab590a232d507eaa Fixed in 6.4.5 with commit af7affc0f6b82a5bde430fc4f0dcf70963442fbc Fixed in 6.5 with commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53451 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/qla2xxx/qla_iocb.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/02405f4023866ae91a611b5b85cb2e074ec2de5a https://git.kernel.org/stable/c/ee4c9a93238b9ce3703942500cb1aeacf77090d2 https://git.kernel.org/stable/c/4f90a8b0481615622bd0558aa8cf361bea872045 https://git.kernel.org/stable/c/2bea9c1c983152c5411f5a2f1113cb790ce1389d https://git.kernel.org/stable/c/5a52a2e14fe866541bbc0033058e44bf0bf0c580 https://git.kernel.org/stable/c/ce2cdbe530b0066bae1f98dbab590a232d507eaa https://git.kernel.org/stable/c/af7affc0f6b82a5bde430fc4f0dcf70963442fbc https://git.kernel.org/stable/c/464ea494a40c6e3e0e8f91dd325408aaf21515ba