CVE-2023-52973

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF<br /> <br /> After a call to console_unlock() in vcs_read() the vc_data struct can be<br /> freed by vc_deallocate(). Because of that, the struct vc_data pointer<br /> load must be done at the top of while loop in vcs_read() to avoid a UAF<br /> when vcs_size() is called.<br /> <br /> Syzkaller reported a UAF in vcs_size().<br /> <br /> BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537<br /> <br /> CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1<br /> Hardware name: Red Hat KVM, BIOS 1.15.0-2.module<br /> Call Trace:<br /> <br /> __asan_report_load4_noabort (mm/kasan/report_generic.c:350)<br /> vcs_size (drivers/tty/vt/vc_screen.c:215)<br /> vcs_read (drivers/tty/vt/vc_screen.c:415)<br /> vfs_read (fs/read_write.c:468 fs/read_write.c:450)<br /> ...<br /> <br /> <br /> Allocated by task 1191:<br /> ...<br /> kmalloc_trace (mm/slab_common.c:1069)<br /> vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720<br /> drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)<br /> con_install (drivers/tty/vt/vt.c:3383)<br /> tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413<br /> drivers/tty/tty_io.c:1390)<br /> tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)<br /> chrdev_open (fs/char_dev.c:415)<br /> do_dentry_open (fs/open.c:883)<br /> vfs_open (fs/open.c:1014)<br /> ...<br /> <br /> Freed by task 1548:<br /> ...<br /> kfree (mm/slab_common.c:1021)<br /> vc_port_destruct (drivers/tty/vt/vt.c:1094)<br /> tty_port_destructor (drivers/tty/tty_port.c:296)<br /> tty_port_put (drivers/tty/tty_port.c:312)<br /> vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))<br /> vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)<br /> tty_ioctl (drivers/tty/tty_io.c:2776)<br /> ...<br /> <br /> The buggy address belongs to the object at ffff888113747800<br /> which belongs to the cache kmalloc-1k of size 1024<br /> The buggy address is located 424 bytes inside of<br /> 1024-byte region [ffff888113747800, ffff888113747c00)<br /> <br /> The buggy address belongs to the physical page:<br /> page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000<br /> index:0x0 pfn:0x113740<br /> head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0<br /> compound_pincount:0<br /> anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)<br /> raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001<br /> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> &gt; ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ^<br /> ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ==================================================================<br /> Disabling lock debugging due to kernel taint