CVE-2023-52564

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-52564

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52564.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-52564

Related

Published

2024-03-02T22:15:48Z

Modified

2024-09-18T03:24:32.907675Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

Revert "tty: ngsm: fix UAF in gsmcleanup_mux"

This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.

The commit above is reverted as it did not solve the original issue.

gsmcleanupmux() tries to free up the virtual ttys by calling gsmdlcirelease() for each available DLCI. There, dlciput() is called to decrease the reference counter for the DLCI via ttyportput() which finally calls gsmdlcifree(). This already clears the pointer which is being checked in gsmcleanupmux() before calling gsmdlcirelease(). Therefore, it is not necessary to clear this pointer in gsmcleanupmux() as done in the reverted commit. The commit introduces a null pointer dereference: <TASK> ? _die+0x1f/0x70 ? pagefaultoops+0x156/0x420 ? searchexceptiontables+0x37/0x50 ? fixupexception+0x21/0x310 ? excpagefault+0x69/0x150 ? asmexcpagefault+0x26/0x30 ? ttyportput+0x19/0xa0 gsmttycleanup+0x29/0x80 [ngsm] releaseonetty+0x37/0xe0 processonework+0x1e6/0x3e0 workerthread+0x4c/0x3d0 ? _pfxworkerthread+0x10/0x10 kthread+0xe1/0x110 ? _pfxkthread+0x10/0x10 retfromfork+0x2f/0x50 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1b/0x30 </TASK>

The actual issue is that nothing guards dlciput() from being called multiple times while the tty driver was triggered but did not yet finished calling gsmdlci_free().

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.205-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

5.10.178-1

5.10.178-2

5.10.178-3

5.10.179-1

5.10.179-2

5.10.179-3

5.10.179-4

5.10.179-5

5.10.191-1

5.10.197-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.64-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.6-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}