CVE-2024-43823: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in the Linux kernel's PCI keystone driver (CVE-2024-43823). The issue occurs in the kspciesetuprcappregs() function when IORESOURCEMEM is not provided in the Device Tree. The vulnerability was found by Linux Verification Center (linuxtesting.org) using the SVACE tool (NVD).

The vulnerability exists in the Linux kernel's PCI keystone driver where resourcelistfirsttype() returns NULL and pciparserequestofpciranges() only emits a warning when IORESOURCEMEM is not provided in the Device Tree. This leads to a NULL pointer dereference in the kspciesetuprcappregs() function. The issue affects Linux kernel versions from 5.10 up to (excluding) 6.1.103, from 6.2 up to (excluding) 6.6.44, and from 6.7 up to (excluding) 6.10.3. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash due to NULL pointer dereference when the Device Tree configuration is incorrect or missing the required IORESOURCE_MEM entry (Kernel Patch).

The issue has been fixed by adding a NULL return check in the kspciesetuprcapp_regs() function. The fix has been backported to affected stable kernel versions. Users should update to Linux kernel versions 6.1.103, 6.6.44, or 6.10.3 or later depending on their kernel series (Kernel Patch).