CVE-2023-52564

Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. The commit above is reverted as it did not solve the original issue. gsm_cleanup_mux() tries to free up the virtual ttys by calling
gsm_dlci_release() for each available DLCI. There, dlci_put() is called to
decrease the reference counter for the DLCI via tty_port_put() which
finally calls gsm_dlci_free(). This already clears the pointer which is
being checked in gsm_cleanup_mux() before calling gsm_dlci_release().
Therefore, it is not necessary to clear this pointer in gsm_cleanup_mux()
as done in the reverted commit. The commit introduces a null pointer
dereference: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x156/0x420 ? search_exception_tables+0x37/0x50 ? fixup_exception+0x21/0x310 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? tty_port_put+0x19/0xa0 gsmtty_cleanup+0x29/0x80 [n_gsm] release_one_tty+0x37/0xe0 process_one_work+0x1e6/0x3e0 worker_thread+0x4c/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe1/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The actual issue is that nothing guards dlci_put() from being called
multiple times while the tty driver was triggered but did not yet finished
calling gsm_dlci_free().

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Revertir "tty: n_gsm: fix UAF in gsm_cleanup_mux" Esto revierte el commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. el commit anterior se revierte porque no resolvió el problema original. gsm_cleanup_mux() intenta liberar los ttys virtuales llamando a gsm_dlci_release() para cada DLCI disponible. Allí, se llama a dlci_put() para disminuir el contador de referencia para el DLCI a través de tty_port_put() que finalmente llama a gsm_dlci_free(). Esto ya borra el puntero que se está verificando en gsm_cleanup_mux() antes de llamar a gsm_dlci_release(). Por lo tanto, no es necesario borrar este puntero en gsm_cleanup_mux() como se hizo en el commit revertida. el commit introduce una desreferencia de puntero nulo: ? __die+0x1f/0x70 ? page_fault_oops+0x156/0x420? search_exception_tables+0x37/0x50? fixup_exception+0x21/0x310? exc_page_fault+0x69/0x150? asm_exc_page_fault+0x26/0x30? tty_port_put+0x19/0xa0 gsmtty_cleanup+0x29/0x80 [n_gsm] release_one_tty+0x37/0xe0 proceso_one_work+0x1e6/0x3e0 trabajador_thread+0x4c/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe1/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 El problema real es que nada protege a dlci_put() de ser llamado varias veces mientras el controlador tty se activó pero aún no terminó de llamar a gsm_dlci_free().

In the Linux kernel, the following vulnerability has been resolved: Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. The commit above is reverted as it did not solve the original issue. gsm_cleanup_mux() tries to free up the virtual ttys by calling gsm_dlci_release() for each available DLCI. There, dlci_put() is called to decrease the reference counter for the DLCI via tty_port_put() which finally calls gsm_dlci_free(). This already clears the pointer which is being checked in gsm_cleanup_mux() before calling gsm_dlci_release(). Therefore, it is not necessary to clear this pointer in gsm_cleanup_mux() as done in the reverted commit. The commit introduces a null pointer dereference: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x156/0x420 ? search_exception_tables+0x37/0x50 ? fixup_exception+0x21/0x310 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? tty_port_put+0x19/0xa0 gsmtty_cleanup+0x29/0x80 [n_gsm] release_one_tty+0x37/0xe0 process_one_work+0x1e6/0x3e0 worker_thread+0x4c/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe1/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The actual issue is that nothing guards dlci_put() from being called multiple times while the tty driver was triggered but did not yet finished calling gsm_dlci_free().

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-02 CVE Reserved
2024-03-02 CVE Published
2024-05-29 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/8fc0eabaa73bbd9bd705577071564616da5c8c61	Vuln. Introduced
https://git.kernel.org/stable/c/5138c228311a863c3cf937b94a3ab4c87f1f70c4	Vuln. Introduced
https://git.kernel.org/stable/c/9615ca54bc138e35353a001e8b5d4824dce72188	Vuln. Introduced
https://git.kernel.org/stable/c/9b9c8195f3f0d74a826077fc1c01b9ee74907239	Vuln. Introduced
https://git.kernel.org/stable/c/74a8d6f50cc90ed0061997db51dfa81a62b0f835	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e	2023-10-10
https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb	2023-10-06
https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827	2023-10-06
https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28	2023-10-06
https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668	2023-09-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.190 < 5.10.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.190 < 5.10.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.124 < 5.15.134 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.124 < 5.15.134"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.43 < 6.1.56 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.43 < 6.1.56"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.5.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.5.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.4.8 Search vendor "Linux" for product "Linux Kernel" and version "6.4.8"		en		Affected