CVE-2023-52564 (GCVE-0-2023-52564)
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2026-05-23 15:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux"
This reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.
The commit above is reverted as it did not solve the original issue.
gsm_cleanup_mux() tries to free up the virtual ttys by calling
gsm_dlci_release() for each available DLCI. There, dlci_put() is called to
decrease the reference counter for the DLCI via tty_port_put() which
finally calls gsm_dlci_free(). This already clears the pointer which is
being checked in gsm_cleanup_mux() before calling gsm_dlci_release().
Therefore, it is not necessary to clear this pointer in gsm_cleanup_mux()
as done in the reverted commit. The commit introduces a null pointer
dereference:
<TASK>
? __die+0x1f/0x70
? page_fault_oops+0x156/0x420
? search_exception_tables+0x37/0x50
? fixup_exception+0x21/0x310
? exc_page_fault+0x69/0x150
? asm_exc_page_fault+0x26/0x30
? tty_port_put+0x19/0xa0
gsmtty_cleanup+0x29/0x80 [n_gsm]
release_one_tty+0x37/0xe0
process_one_work+0x1e6/0x3e0
worker_thread+0x4c/0x3d0
? __pfx_worker_thread+0x10/0x10
kthread+0xe1/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
The actual issue is that nothing guards dlci_put() from being called
multiple times while the tty driver was triggered but did not yet finished
calling gsm_dlci_free().
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8fc0eabaa73bbd9bd705577071564616da5c8c61 Version: 5138c228311a863c3cf937b94a3ab4c87f1f70c4 Version: 9615ca54bc138e35353a001e8b5d4824dce72188 Version: 9b9c8195f3f0d74a826077fc1c01b9ee74907239 Version: 9b9c8195f3f0d74a826077fc1c01b9ee74907239 Version: 74a8d6f50cc90ed0061997db51dfa81a62b0f835 Version: 5.10.190 ≤ Version: 5.15.124 ≤ Version: 6.1.43 ≤ Version: 6.4.8 ≤ |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:09:41.921733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:06.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:20.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d5c8862932d31a810b6545f7d69ecc124402c6e",
"status": "affected",
"version": "8fc0eabaa73bbd9bd705577071564616da5c8c61",
"versionType": "git"
},
{
"lessThan": "a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb",
"status": "affected",
"version": "5138c228311a863c3cf937b94a3ab4c87f1f70c4",
"versionType": "git"
},
{
"lessThan": "c61d0b87a7028c2c10faffc524d748334c7b9827",
"status": "affected",
"version": "9615ca54bc138e35353a001e8b5d4824dce72188",
"versionType": "git"
},
{
"lessThan": "2bff660e0ff349dee84dc4f6f6d10da4497f5b28",
"status": "affected",
"version": "9b9c8195f3f0d74a826077fc1c01b9ee74907239",
"versionType": "git"
},
{
"lessThan": "29346e217b8ab8a52889b88f00b268278d6b7668",
"status": "affected",
"version": "9b9c8195f3f0d74a826077fc1c01b9ee74907239",
"versionType": "git"
},
{
"status": "affected",
"version": "74a8d6f50cc90ed0061997db51dfa81a62b0f835",
"versionType": "git"
},
{
"lessThan": "5.10.198",
"status": "affected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThan": "5.15.134",
"status": "affected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThan": "6.1.56",
"status": "affected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/n_gsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.198",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.134",
"versionStartIncluding": "5.15.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "6.1.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n \u003cTASK\u003e\n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:26:08.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e"
},
{
"url": "https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb"
},
{
"url": "https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827"
},
{
"url": "https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28"
},
{
"url": "https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668"
}
],
"title": "Revert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52564",
"datePublished": "2024-03-02T21:59:36.867Z",
"dateReserved": "2024-03-02T21:55:42.567Z",
"dateUpdated": "2026-05-23T15:26:08.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…