CVE-2024-50073
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50073
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50073.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50073
- Related
- Published
- 2024-10-29T01:15:04Z
- Modified
- 2024-11-09T12:51:12.587578Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tty: ngsm: Fix use-after-free in gsmcleanup_mux
BUG: KASAN: slab-use-after-free in gsmcleanupmux+0x77b/0x7b0 drivers/tty/ngsm.c:3160 [ngsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsmcleanupmux+0x77b/0x7b0 drivers/tty/ngsm.c:3160 [ngsm] _pfxgsmcleanupmux+0x10/0x10 drivers/tty/ngsm.c:3124 [ngsm] _pfxschedclockcpu+0x10/0x10 kernel/sched/clock.c:389 updateloadavg+0x1c1/0x27b0 kernel/sched/fair.c:4500 _pfxminvruntimecbrotate+0x10/0x10 kernel/sched/fair.c:846 _rbinsertaugmented+0x492/0xbf0 lib/rbtree.c:161 gsmldioctl+0x395/0x1450 drivers/tty/ngsm.c:3408 [ngsm] _rawspinlockirqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 _pfxgsmldioctl+0x10/0x10 drivers/tty/ngsm.c:3822 [ngsm] ktimeget+0x5e/0x140 kernel/time/timekeeping.c:195 ldsemdownread+0x94/0x4e0 arch/x86/include/asm/atomic6464.h:79 _pfxldsemdownread+0x10/0x10 drivers/tty/ttyldsem.c:338 _pfxdovfsioctl+0x10/0x10 fs/ioctl.c:805 ttyioctl+0x643/0x1100 drivers/tty/ttyio.c:2818
Allocated by task 65: gsmdataalloc.constprop.0+0x27/0x190 drivers/tty/ngsm.c:926 [ngsm] gsmsend+0x2c/0x580 drivers/tty/ngsm.c:819 [ngsm] gsm1receive+0x547/0xad0 drivers/tty/ngsm.c:3038 [ngsm] gsmldreceivebuf+0x176/0x280 drivers/tty/ngsm.c:3609 [ngsm] ttyldiscreceivebuf+0x101/0x1e0 drivers/tty/ttybuffer.c:391 ttyportdefaultreceivebuf+0x61/0xa0 drivers/tty/ttyport.c:39 flushtoldisc+0x1b0/0x750 drivers/tty/ttybuffer.c:445 processscheduledworks+0x2b0/0x10d0 kernel/workqueue.c:3229 workerthread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 retfromfork+0x2d/0x70 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:257
Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsmcleanupmux+0x36c/0x7b0 drivers/tty/ngsm.c:3160 [ngsm] gsmldioctl+0x395/0x1450 drivers/tty/ngsm.c:3408 [ngsm] ttyioctl+0x643/0x1100 drivers/tty/tty_io.c:2818
[Analysis] gsmmsg on the txctrllist or txdatalist of gsmmux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.
- References
-
- https://git.kernel.org/stable/c/0eec592c6a7460ba795d7de29f3dc95cb5422e62
- https://git.kernel.org/stable/c/9462f4ca56e7d2430fdb6dcc8498244acbfc4489
- https://git.kernel.org/stable/c/bf171b5e86e41de4c1cf32fb7aefa275c3d7de49
- https://git.kernel.org/stable/c/c29f192e0d44cc1cbaf698fa1ff198f63556691a
- https://security-tracker.debian.org/tracker/CVE-2024-50073
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.115-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.11.5-1