CVE-2023-52468

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52468
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52468.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52468
Downstream
Related
Published
2024-02-25T08:16:32Z
Modified
2025-10-16T11:23:45.000041Z
Summary
class: fix use-after-free in class_register()
Details

In the Linux kernel, the following vulnerability has been resolved:

class: fix use-after-free in class_register()

The lockclasskey is still registered and can be found in lockkeyshash hlist after subsysprivate is freed in error handler path.A task who iterate over the lockkeyshash later may cause use-after-free.So fix that up and unregister the lockclass_key before kfree(cp).

On our platform, a driver fails to kset_register because of creating duplicate filename '/class/xxx'.With Kasan enabled, it prints a invalid-access bug report.

KASAN bug report:

BUG: KASAN: invalid-access in lockdepregisterkey+0x19c/0x1bc Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252 Pointer tag: [15], memory tag: [fe]

CPU: 7 PID: 252 Comm: modprobe Tainted: G W 6.6.0-mainline-maybe-dirty #1

Call trace: dumpbacktrace+0x1b0/0x1e4 showstack+0x2c/0x40 dumpstacklvl+0xac/0xe0 printreport+0x18c/0x4d8 kasanreport+0xe8/0x148 _hwasanstore8noabort+0x88/0x98 lockdepregisterkey+0x19c/0x1bc classregister+0x94/0x1ec initmodule+0xbc/0xf48 [rfkill] dooneinitcall+0x17c/0x72c doinit_module+0x19c/0x3f8 ... Memory state around the buggy address: ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe

ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03

As CONFIGKASANGENERIC is not set, Kasan reports invalid-access not use-after-free here.In this case, modprobe is manipulating the corrupted lockkeyshash hlish where lockclasskey is already freed before.

It's worth noting that this only can happen if lockdep is enabled, which is not true for normal system.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dcfbb67e48a2becfce7990386e985b9c45098ee5
Fixed
b57196a5ec5e4c0ffecde8348b085b778c7dce04
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dcfbb67e48a2becfce7990386e985b9c45098ee5
Fixed
0f1486dafca3398c4c46b9f6e6452fa27e73b559
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
dcfbb67e48a2becfce7990386e985b9c45098ee5
Fixed
93ec4a3b76404bce01bd5c9032bef5df6feb1d62

Affected versions

v6.*

v6.3
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.14
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.2