CVE-2023-53805
- Source
- https://cve.org/CVERecord?id=CVE-2023-53805
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53805.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-53805
- Downstream
- Published
- 2025-12-09T00:01:03.422Z
- Modified
- 2026-04-10T05:07:00.751492Z
- Summary
- tty: n_gsm: fix UAF in gsm_cleanup_mux
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tty: ngsm: fix UAF in gsmcleanup_mux
In gsmcleanupmux() the 'gsm->dlci' pointer was not cleaned properly, leaving it a dangling pointer after gsmdlcirelease. This leads to use-after-free where 'gsm->dlci[0]' are freed and accessed by the subsequent gsmcleanupmux().
Such is the case in the following call trace:
<TASK> __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0x1e3/0x2cb lib/dumpstack.c:106 printaddressdescription+0x63/0x3b0 mm/kasan/report.c:248 __kasanreport mm/kasan/report.c:434 [inline] kasanreport+0x16b/0x1c0 mm/kasan/report.c:451 gsmcleanupmux+0x76a/0x850 drivers/tty/ngsm.c:2397 gsmconfig drivers/tty/ngsm.c:2653 [inline] gsmldioctl+0xaae/0x15b0 drivers/tty/ngsm.c:2986 ttyioctl+0x8ff/0xc50 drivers/tty/ttyio.c:2816 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:874 [inline] __sesysioctl+0xf1/0x160 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x61/0xcb </TASK>
Allocated by task 3501: kasansavestack mm/kasan/common.c:38 [inline] kasansettrack mm/kasan/common.c:46 [inline] setallocinfo mm/kasan/common.c:434 [inline] ____kasankmalloc+0xba/0xf0 mm/kasan/common.c:513 kasankmalloc include/linux/kasan.h:264 [inline] kmemcachealloctrace+0x143/0x290 mm/slub.c:3247 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] gsmdlcialloc+0x53/0x3a0 drivers/tty/ngsm.c:1932 gsmactivatemux+0x1c/0x330 drivers/tty/ngsm.c:2438 gsmconfig drivers/tty/ngsm.c:2677 [inline] gsmldioctl+0xd46/0x15b0 drivers/tty/ngsm.c:2986 ttyioctl+0x8ff/0xc50 drivers/tty/ttyio.c:2816 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:874 [inline] __sesysioctl+0xf1/0x160 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x61/0xcb
Freed by task 3501: kasansavestack mm/kasan/common.c:38 [inline] kasansettrack+0x4b/0x80 mm/kasan/common.c:46 kasansetfree_info+0x1f/0x40 mm/kasan/generic.c:360 ____kasanslabfree+0xd8/0x120 mm/kasan/common.c:366 kasanslabfree include/linux/kasan.h:230 [inline] slabfreehook mm/slub.c:1705 [inline] slabfreefreelisthook+0xdd/0x160 mm/slub.c:1731 slabfree mm/slub.c:3499 [inline] kfree+0xf1/0x270 mm/slub.c:4559 dlciput drivers/tty/ngsm.c:1988 [inline] gsmdlcirelease drivers/tty/ngsm.c:2021 [inline] gsmcleanupmux+0x574/0x850 drivers/tty/ngsm.c:2415 gsmconfig drivers/tty/ngsm.c:2653 [inline] gsmldioctl+0xaae/0x15b0 drivers/tty/ngsm.c:2986 ttyioctl+0x8ff/0xc50 drivers/tty/ttyio.c:2816 vfs_ioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:874 [inline] __sesysioctl+0xf1/0x160 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x61/0xcb
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53805.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5138c228311a863c3cf937b94a3ab4c87f1f70c4
- https://git.kernel.org/stable/c/74a8d6f50cc90ed0061997db51dfa81a62b0f835
- https://git.kernel.org/stable/c/8fc0eabaa73bbd9bd705577071564616da5c8c61
- https://git.kernel.org/stable/c/9615ca54bc138e35353a001e8b5d4824dce72188
- https://git.kernel.org/stable/c/9b9c8195f3f0d74a826077fc1c01b9ee74907239
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53805.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53805
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced47132f9f7f766718513625982468f7f1339ca666Fixed8fc0eabaa73bbd9bd705577071564616da5c8c61
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7f71387d9f3bd83e183d38f7dd7b05165900fc03Fixed5138c228311a863c3cf937b94a3ab4c87f1f70c4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaa371e96f05dcb36a88298f5cb70aa7234d5e8b8Fixed9615ca54bc138e35353a001e8b5d4824dce72188Fixed74a8d6f50cc90ed0061997db51dfa81a62b0f835Fixed9b9c8195f3f0d74a826077fc1c01b9ee74907239
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected74ef1629c5ab5c89ac241d434dbb3ec150df695a
Linux / Kernel
Package
- Name
- Kernel