In the Linux kernel, the following vulnerability has been resolved:
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
This bug influences both stncii2cremove and stncispiremove. Take stncii2c_remove as an example.
In stncii2cprobe, it called ndlcprobe and bound &ndlc->smwork with lltndlcsmwork.
When it calls ndlcrecv or timeout handler, it will finally call schedulework to start the work.
When we call stncii2c_remove to remove the driver, there may be a sequence as follows:
Fix it by finishing the work before cleanup in ndlc_remove
CPU0 CPU1
|llt_ndlc_sm_work
stncii2cremove | ndlcremove | stnciremove | ncifreedevice| kfree(ndev) | //free ndlc->ndev | |lltndlcrcvqueue |ncirecv_frame |//use ndlc->ndev
{ "vanir_signatures": [ { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-031446b3", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43aa468df246175207a7d5d7d6d31b231f15b49c", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-269d9980", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3405eb641dafcc8b28d174784b203c1622c121bf", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-2747808f", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f589e5b56c562d99ea74e05b1c3f0eab78aa17a3", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-2adc1e26", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5000fe6c27827a61d8250a7e4a1d26c3298ef4f6", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-317d6c94", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43aa468df246175207a7d5d7d6d31b231f15b49c", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-3286586f", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2156490c4b7cacda9a18ec99929940b8376dc0e3", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-4be0cd5d", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@84dd9cc34014e3a3dcce0eb6d54b8a067e97676b", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-52ba06b3", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5000fe6c27827a61d8250a7e4a1d26c3298ef4f6", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-5bf5c908", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3405eb641dafcc8b28d174784b203c1622c121bf", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-75ea68c0", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f589e5b56c562d99ea74e05b1c3f0eab78aa17a3", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-960ec233", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e331022b448fbc5e76f24349cd0246844dcad25", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-9a45daeb", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2156490c4b7cacda9a18ec99929940b8376dc0e3", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-a17a9393", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e331022b448fbc5e76f24349cd0246844dcad25", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-d4bbfe3b", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0c202a8dc63008205a5d546559736507a9aae66", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Line", "target": { "file": "drivers/nfc/st-nci/ndlc.c" }, "id": "CVE-2023-53106-e08c5c7d", "digest": { "threshold": 0.9, "line_hashes": [ "5769284258606475822732180450568004380", "288700677809605685556639536797412679916", "266126378601039291087342873378498921295", "169782007828159236714951054939518895297", "165662296298863369735152750339137646865", "257211554070955124134241567683998428061", "276901368242489837696633159489902401869", "67499982534343830793786811260170741311" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@84dd9cc34014e3a3dcce0eb6d54b8a067e97676b", "deprecated": false, "signature_version": "v1" }, { "signature_type": "Function", "target": { "file": "drivers/nfc/st-nci/ndlc.c", "function": "ndlc_remove" }, "id": "CVE-2023-53106-f4db8130", "digest": { "length": 258.0, "function_hash": "165130585760393613373269410661763923401" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0c202a8dc63008205a5d546559736507a9aae66", "deprecated": false, "signature_version": "v1" } ] }