CVE-2023-52564

{"id": "CVE-2023-52564", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-03-02T22:15:48.933", "references": [{"url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n <TASK>\n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n </TASK>\n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Revertir \"tty: n_gsm: fix UAF in gsm_cleanup_mux\" Esto revierte el commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239. el commit anterior se revierte porque no resolvi\u00f3 el problema original. gsm_cleanup_mux() intenta liberar los ttys virtuales llamando a gsm_dlci_release() para cada DLCI disponible. All\u00ed, se llama a dlci_put() para disminuir el contador de referencia para el DLCI a trav\u00e9s de tty_port_put() que finalmente llama a gsm_dlci_free(). Esto ya borra el puntero que se est\u00e1 verificando en gsm_cleanup_mux() antes de llamar a gsm_dlci_release(). Por lo tanto, no es necesario borrar este puntero en gsm_cleanup_mux() como se hizo en el commit revertida. el commit introduce una desreferencia de puntero nulo: ? __die+0x1f/0x70 ? page_fault_oops+0x156/0x420? search_exception_tables+0x37/0x50? fixup_exception+0x21/0x310? exc_page_fault+0x69/0x150? asm_exc_page_fault+0x26/0x30? tty_port_put+0x19/0xa0 gsmtty_cleanup+0x29/0x80 [n_gsm] release_one_tty+0x37/0xe0 proceso_one_work+0x1e6/0x3e0 trabajador_thread+0x4c/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe1/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 El problema real es que nada protege a dlci_put() de ser llamado varias veces mientras el controlador tty se activ\u00f3 pero a\u00fan no termin\u00f3 de llamar a gsm_dlci_free()."}], "lastModified": "2025-01-07T17:34:18.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB2D8159-4945-414E-BE3E-012D06CDECF4", "versionEndExcluding": "5.10.198", "versionStartIncluding": "5.10.190"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19F970A2-0C87-43BE-A458-32CE99A8466F", "versionEndExcluding": "5.15.134", "versionStartIncluding": "5.15.124"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7A76EF2-AF5B-4071-9E4E-F62A07108496", "versionEndExcluding": "6.1.56", "versionStartIncluding": "6.1.43"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A7D3E0-22DF-4D92-9B5E-F8505D3471A2", "versionEndExcluding": "6.5.6", "versionStartIncluding": "6.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84267A4F-DBC2-444F-B41D-69E15E1BEC97"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB440208-241C-4246-9A83-C1715C0DAA6C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DC421F1-3D5A-4BEF-BF76-4E468985D20B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}