CVE-2019-12455 : An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c

An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because “The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.”

Published 2019-05-30 04:29:02

Updated 2024-08-05 00:15:23

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2019-12455

Linux » Linux Kernel
Versions up to, including, (<=) 5.1.5
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-12455

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-12455

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.9	MEDIUM	AV:L/AC:L/Au:N/C:N/I:N/A:C	3.9	6.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-12455

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-12455

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J36BIJTKEPUOZKJNHQBUZA47RQONUKOI/

[SECURITY] Fedora 30 Update: kernel-headers-5.1.7-300.fc30 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2010240.html

Re: [PATCH] clk-sunxi: fix a missing-check bug in sunxi_divs_clk_setup()
Mailing List;Third Party Advisory
https://www.mail-archive.com/linux-kernel%40vger.kernel.org/msg2010240.html

Re: [PATCH] clk-sunxi: fix a missing-check bug in sunxi_divs_clk_setup()
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J36BIJTKEPUOZKJNHQBUZA47RQONUKOI/

[SECURITY] Fedora 30 Update: kernel-headers-5.1.7-300.fc30 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux.git/commit/?h=sunxi/clk-for-5.3&id=fcdf445ff42f036d22178b49cf64e92d527c1330

kernel/git/sunxi/linux.git - Allwinner/Sunxi group's fork of linux.git
Mailing List;Patch;Vendor Advisory
https://security.netapp.com/advisory/ntap-20190710-0002/

June 2019 Linux Kernel Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-12455

Products affected by CVE-2019-12455

Exploit prediction scoring system (EPSS) score for CVE-2019-12455

CVSS scores for CVE-2019-12455

CWE ids for CVE-2019-12455

References for CVE-2019-12455