CVE-2023-52450: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52450 affects the Linux kernel's performance monitoring subsystem, specifically in the Intel uncore component. The vulnerability was discovered in the upi_fill_topology() function where a NULL pointer dereference issue could occur due to improper handling of socket IDs. The issue affects Linux kernel versions from 6.2.0 up to (excluding) 6.6.14 and from 6.7.0 up to (excluding) 6.7.2 (NVD).

The vulnerability stems from using physical socket ID instead of logical socket ID in the discover_upi_topology() function, which could lead to an out-of-bound access on 'upi = &type->topology[nid][idx]' line, resulting in a NULL pointer dereference in upi_fill_topology(). The issue was introduced in commit f680b6e6062e which enabled UPI topology discovery for Icelake Server. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to a system crash due to NULL pointer dereference, potentially causing a denial of service condition. The impact is limited to local attacks and requires local user privileges to exploit (NVD).

The issue has been fixed in Linux kernel versions 6.6.14 and 6.7.2. The fix involves modifying the discover_upi_topology() function to use logical socket ID instead of physical ID, preventing the NULL pointer dereference. Users should upgrade to the patched versions. The fix is also being backported to various stable kernel versions (Kernel Patch).