CVE-2023-52439
uio: Fix use-after-free in uio_open
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uio_open
core-1 core-2
-------------------------------------------------------
uio_unregister_device uio_open
idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
uio_release
put_device(&idev->dev)
kfree(idev)
-------------------------------------------------------
In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
freed.
To address this issue, we can get idev atomic & inc idev reference with
minor_lock.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: uio: corrige use-after-free en uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister se liberará idev cuando la referencia del objeto idev->dev kobject es 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, el idev se liberará dos veces. Para solucionar este problema, podemos obtener la referencia de idev atomic & inc idev con minor_lock.
A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-20 CVE Reserved
- 2024-02-20 CVE Published
- 2024-03-16 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-415: Double Free
- CWE-416: Use After Free
CAPEC
References (14)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-52439 | 2024-09-24 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2265271 | 2024-09-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 4.19.306 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 4.19.306" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.4.268 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.4.268" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.10.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.209" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 5.15.148 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.148" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.1.74 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.1.74" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.6.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.6.13" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.7.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.7.1" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 4.18 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.8" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.14.100 Search vendor "Linux" for product "Linux Kernel" and version "4.14.100" | en |
Affected
|