CVE-2023-52973

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-52973
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52973.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52973
Downstream
Related
Published
2025-03-27T16:43:12.756Z
Modified
2026-05-15T11:53:13.306917861Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
Details

In the Linux kernel, the following vulnerability has been resolved:

vcscreen: move load of struct vcdata pointer in vcs_read() to avoid UAF

After a call to consoleunlock() in vcsread() the vcdata struct can be freed by vcdeallocate(). Because of that, the struct vcdata pointer load must be done at the top of while loop in vcsread() to avoid a UAF when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: use-after-free in vcssize (drivers/tty/vt/vcscreen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537

CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: <TASK> _asanreportload4noabort (mm/kasan/reportgeneric.c:350) vcssize (drivers/tty/vt/vcscreen.c:215) vcsread (drivers/tty/vt/vcscreen.c:415) vfsread (fs/readwrite.c:468 fs/readwrite.c:450) ... </TASK>

Allocated by task 1191: ... kmalloctrace (mm/slabcommon.c:1069) vcallocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) coninstall (drivers/tty/vt/vt.c:3383) ttyinitdev (drivers/tty/ttyio.c:1301 drivers/tty/ttyio.c:1413 drivers/tty/ttyio.c:1390) ttyopen (drivers/tty/ttyio.c:2080 drivers/tty/ttyio.c:2126) chrdevopen (fs/chardev.c:415) dodentryopen (fs/open.c:883) vfs_open (fs/open.c:1014) ...

Freed by task 1548: ... kfree (mm/slabcommon.c:1021) vcportdestruct (drivers/tty/vt/vt.c:1094) ttyportdestructor (drivers/tty/ttyport.c:296) ttyportput (drivers/tty/ttyport.c:312) vtdisallocateall (drivers/tty/vt/vtioctl.c:662 (discriminator 2)) vtioctl (drivers/tty/vt/vtioctl.c:903) ttyioctl (drivers/tty/ttyio.c:2776) ...

The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00)

The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compoundmapcount:0 subpagesmapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Disabling lock debugging due to kernel taint

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52973.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.38
Fixed
4.14.329
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.273
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.232
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.168
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.93
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.11

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52973.json"