CVE-2023-52439

uio: Fix use-after-free in uio_open

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2
-------------------------------------------------------
uio_unregister_device uio_open idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev)
------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: uio: corrige use-after-free en uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister se liberará idev cuando la referencia del objeto idev->dev kobject es 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, el idev se liberará dos veces. Para solucionar este problema, podemos obtener la referencia de idev atomic & inc idev con minor_lock.

A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.

In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate certain data structure fields when parsing lease contexts, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service or possibly expose sensitive information. Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel, leading to a use-after-free vulnerability. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-20 CVE Published
2024-12-27 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-415: Double Free
CWE-416: Use After Free

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/57c5f4df0a5a0ee83df799991251e2ee93a5e4e9	Vuln. Introduced
https://git.kernel.org/stable/c/13af019c87f2d90e663742cb1a819834048842ae	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c	2024-01-25
https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50	2024-01-25
https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570	2024-01-25
https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7	2024-01-25
https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea	2024-01-20
https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad	2024-01-20
https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41	2024-01-20
https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2	2024-01-04

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52439	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2265271	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 4.19.306 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 4.19.306"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.4.268 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.4.268"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.10.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.10.209"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 5.15.148 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 5.15.148"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.1.74 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.1.74"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.6.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.6.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.7.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.7.1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.18 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.18 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.100 Search vendor "Linux" for product "Linux Kernel" and version "4.14.100"		en		Affected