CVE-2023-52564

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52564
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52564.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52564
Related
Published
2024-03-02T22:15:48Z
Modified
2024-09-11T05:02:07.567939Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

Revert "tty: ngsm: fix UAF in gsmcleanup_mux"

This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.

The commit above is reverted as it did not solve the original issue.

gsmcleanupmux() tries to free up the virtual ttys by calling gsmdlcirelease() for each available DLCI. There, dlciput() is called to decrease the reference counter for the DLCI via ttyportput() which finally calls gsmdlcifree(). This already clears the pointer which is being checked in gsmcleanupmux() before calling gsmdlcirelease(). Therefore, it is not necessary to clear this pointer in gsmcleanupmux() as done in the reverted commit. The commit introduces a null pointer dereference: <TASK> ? _die+0x1f/0x70 ? pagefaultoops+0x156/0x420 ? searchexceptiontables+0x37/0x50 ? fixupexception+0x21/0x310 ? excpagefault+0x69/0x150 ? asmexcpagefault+0x26/0x30 ? ttyportput+0x19/0xa0 gsmttycleanup+0x29/0x80 [ngsm] releaseonetty+0x37/0xe0 processonework+0x1e6/0x3e0 workerthread+0x4c/0x3d0 ? _pfxworkerthread+0x10/0x10 kthread+0xe1/0x110 ? _pfxkthread+0x10/0x10 retfromfork+0x2f/0x50 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1b/0x30 </TASK>

The actual issue is that nothing guards dlciput() from being called multiple times while the tty driver was triggered but did not yet finished calling gsmdlci_free().

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.205-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.64-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.6-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}