DEBIAN-CVE-2023-53478
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-53478
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53478.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2023-53478
- Upstream
- Published
- 2025-10-01T12:15:50.270Z
- Modified
- 2026-04-28T20:27:02.147700Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: tracing/synthetic: Fix races on freeing lastcmd Currently, the "lastcmd" variable can be accessed by multiple processes asynchronously when multiple users manipulate syntheticevents node at the same time, it could lead to use-after-free or double-free. This patch add "lastcmdmutex" to prevent "lastcmd" from being accessed asynchronously. ================================================================ It's easy to reproduce in the KASAN environment by running the two scripts below in different shells. script 1: while : do echo -n -e '\x88' > /sys/kernel/tracing/syntheticevents done script 2: while : do echo -n -e '\xb0' > /sys/kernel/tracing/syntheticevents done ================================================================ double-free scenario: process A process B ------------------- --------------- 1.kstrdup lastcmd 2.free lastcmd 3.free lastcmd(double-free) ================================================================ use-after-free scenario: process A process B ------------------- --------------- 1.kstrdup lastcmd 2.free lastcmd 3.tracinglogerr(use-after-free) ================================================================ Appendix 1. KASAN report double-free: BUG: KASAN: double-free in kfree+0xdc/0x1d4 Free of addr ***** by task sh/4879 Call trace: ... kfree+0xdc/0x1d4 createordeletesynthevent+0x60/0x1e8 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ... Allocated by task 4879: ... kstrdup+0x5c/0x98 createordeletesynthevent+0x6c/0x1e8 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ... Freed by task 5464: ... kfree+0xdc/0x1d4 createordeletesynthevent+0x60/0x1e8 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ... ================================================================ Appendix 2. KASAN report use-after-free: BUG: KASAN: use-after-free in strlen+0x5c/0x7c Read of size 1 at addr ***** by task sh/5483 sh: CPU: 7 PID: 5483 Comm: sh ... _asanreportload1noabort+0x34/0x44 strlen+0x5c/0x7c tracinglogerr+0x60/0x444 createordeletesynthevent+0xc4/0x204 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ... Allocated by task 5483: ... kstrdup+0x5c/0x98 createordeletesynthevent+0x80/0x204 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ... Freed by task 5480: ... kfree+0xdc/0x1d4 createordeletesynthevent+0x74/0x204 traceparseruncommand+0x2bc/0x4b8 syntheventswrite+0x20/0x30 vfswrite+0x200/0x830 ...
- References
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source