CVE-2023-52975
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
27/03/2025
Last modified:
01/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress<br />
<br />
Bug report and analysis from Ding Hui.<br />
<br />
During iSCSI session logout, if another task accesses the shost ipaddress<br />
attr, we can get a KASAN UAF report like this:<br />
<br />
[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0<br />
[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088<br />
[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3<br />
[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020<br />
[ 276.944470] Call Trace:<br />
[ 276.944943] <br />
[ 276.945397] dump_stack_lvl+0x34/0x48<br />
[ 276.945887] print_address_description.constprop.0+0x86/0x1e7<br />
[ 276.946421] print_report+0x36/0x4f<br />
[ 276.947358] kasan_report+0xad/0x130<br />
[ 276.948234] kasan_check_range+0x35/0x1c0<br />
[ 276.948674] _raw_spin_lock_bh+0x78/0xe0<br />
[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]<br />
[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]<br />
[ 276.952185] dev_attr_show+0x3f/0x80<br />
[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0<br />
[ 276.953401] seq_read_iter+0x402/0x1020<br />
[ 276.954260] vfs_read+0x532/0x7b0<br />
[ 276.955113] ksys_read+0xed/0x1c0<br />
[ 276.955952] do_syscall_64+0x38/0x90<br />
[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
[ 276.956769] RIP: 0033:0x7f5d3a679222<br />
[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24<br />
[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000<br />
[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222<br />
[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003<br />
[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000<br />
[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000<br />
[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58<br />
[ 276.960536] <br />
[ 276.961357] Allocated by task 2209:<br />
[ 276.961756] kasan_save_stack+0x1e/0x40<br />
[ 276.962170] kasan_set_track+0x21/0x30<br />
[ 276.962557] __kasan_kmalloc+0x7e/0x90<br />
[ 276.962923] __kmalloc+0x5b/0x140<br />
[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]<br />
[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]<br />
[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]<br />
[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]<br />
[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]<br />
[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]<br />
[ 276.965546] netlink_unicast+0x4d5/0x7b0<br />
[ 276.965905] netlink_sendmsg+0x78d/0xc30<br />
[ 276.966236] sock_sendmsg+0xe5/0x120<br />
[ 276.966576] ____sys_sendmsg+0x5fe/0x860<br />
[ 276.966923] ___sys_sendmsg+0xe0/0x170<br />
[ 276.967300] __sys_sendmsg+0xc8/0x170<br />
[ 276.967666] do_syscall_64+0x38/0x90<br />
[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
[ 276.968773] Freed by task 2209:<br />
[ 276.969111] kasan_save_stack+0x1e/0x40<br />
[ 276.969449] kasan_set_track+0x21/0x30<br />
[ 276.969789] kasan_save_free_info+0x2a/0x50<br />
[ 276.970146] __kasan_slab_free+0x106/0x190<br />
[ 276.970470] __kmem_cache_free+0x133/0x270<br />
[ 276.970816] device_release+0x98/0x210<br />
[ 276.971145] kobject_cleanup+0x101/0x360<br />
[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]<br />
[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]<br />
[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]<br />
[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]<br />
[ 276.972808] netlink_unicast+0x4d5/0x7b0<br />
[ 276.973201] netlink_sendmsg+0x78d/0xc30<br />
[ 276.973544] sock_sendmsg+0xe5/0x120<br />
[ 276.973864] ____sys_sendmsg+0x5fe/0x860<br />
[ 276.974248] ___sys_<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.248 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.93 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page