CVE-2023-52564

In the Linux kernel, the following vulnerability has been resolved:

Revert "tty: ngsm: fix UAF in gsmcleanup_mux"

This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.

The commit above is reverted as it did not solve the original issue.

gsmcleanupmux() tries to free up the virtual ttys by calling gsmdlcirelease() for each available DLCI. There, dlciput() is called to decrease the reference counter for the DLCI via ttyportput() which finally calls gsmdlcifree(). This already clears the pointer which is being checked in gsmcleanupmux() before calling gsmdlcirelease(). Therefore, it is not necessary to clear this pointer in gsmcleanup_mux() as done in the reverted commit. The commit introduces a null pointer dereference: <TASK> ? __die+0x1f/0x70 ? pagefaultoops+0x156/0x420 ? searchexceptiontables+0x37/0x50 ? fixupexception+0x21/0x310 ? excpagefault+0x69/0x150 ? asmexcpagefault+0x26/0x30 ? ttyportput+0x19/0xa0 gsmttycleanup+0x29/0x80 [ngsm] releaseonetty+0x37/0xe0 processonework+0x1e6/0x3e0 worker_thread+0x4c/0x3d0 ? __pfxworkerthread+0x10/0x10 kthread+0xe1/0x110 ? __pfxkthread+0x10/0x10 retfrom_fork+0x2f/0x50 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1b/0x30 </TASK>

The actual issue is that nothing guards dlciput() from being called multiple times while the tty driver was triggered but did not yet finished calling gsmdlci_free().