Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52468

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
26/02/2024
Last modified:
17/04/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> class: fix use-after-free in class_register()<br /> <br /> The lock_class_key is still registered and can be found in<br /> lock_keys_hash hlist after subsys_private is freed in error<br /> handler path.A task who iterate over the lock_keys_hash<br /> later may cause use-after-free.So fix that up and unregister<br /> the lock_class_key before kfree(cp).<br /> <br /> On our platform, a driver fails to kset_register because of<br /> creating duplicate filename &amp;#39;/class/xxx&amp;#39;.With Kasan enabled,<br /> it prints a invalid-access bug report.<br /> <br /> KASAN bug report:<br /> <br /> BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc<br /> Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252<br /> Pointer tag: [15], memory tag: [fe]<br /> <br /> CPU: 7 PID: 252 Comm: modprobe Tainted: G W<br /> 6.6.0-mainline-maybe-dirty #1<br /> <br /> Call trace:<br /> dump_backtrace+0x1b0/0x1e4<br /> show_stack+0x2c/0x40<br /> dump_stack_lvl+0xac/0xe0<br /> print_report+0x18c/0x4d8<br /> kasan_report+0xe8/0x148<br /> __hwasan_store8_noabort+0x88/0x98<br /> lockdep_register_key+0x19c/0x1bc<br /> class_register+0x94/0x1ec<br /> init_module+0xbc/0xf48 [rfkill]<br /> do_one_initcall+0x17c/0x72c<br /> do_init_module+0x19c/0x3f8<br /> ...<br /> Memory state around the buggy address:<br /> ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a<br /> ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe<br /> &gt;ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe<br /> ^<br /> ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03<br /> <br /> As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access<br /> not use-after-free here.In this case, modprobe is manipulating<br /> the corrupted lock_keys_hash hlish where lock_class_key is already<br /> freed before.<br /> <br /> It&amp;#39;s worth noting that this only can happen if lockdep is enabled,<br /> which is not true for normal system.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4.0 (including) 6.6.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7.0 (including) 6.7.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools