Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-53023

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/03/2025
Last modified:
01/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: nfc: Fix use-after-free in local_cleanup()<br /> <br /> Fix a use-after-free that occurs in kfree_skb() called from<br /> local_cleanup(). This could happen when killing nfc daemon (e.g. neard)<br /> after detaching an nfc device.<br /> When detaching an nfc device, local_cleanup() called from<br /> nfc_llcp_unregister_device() frees local-&gt;rx_pending and decreases<br /> local-&gt;ref by kref_put() in nfc_llcp_local_put().<br /> In the terminating process, nfc daemon releases all sockets and it leads<br /> to decreasing local-&gt;ref. After the last release of local-&gt;ref,<br /> local_cleanup() called from local_release() frees local-&gt;rx_pending<br /> again, which leads to the bug.<br /> <br /> Setting local-&gt;rx_pending to NULL in local_cleanup() could prevent<br /> use-after-free when local_cleanup() is called twice.<br /> <br /> Found by a modified version of syzkaller.<br /> <br /> BUG: KASAN: use-after-free in kfree_skb()<br /> <br /> Call Trace:<br /> dump_stack_lvl (lib/dump_stack.c:106)<br /> print_address_description.constprop.0.cold (mm/kasan/report.c:306)<br /> kasan_check_range (mm/kasan/generic.c:189)<br /> kfree_skb (net/core/skbuff.c:955)<br /> local_cleanup (net/nfc/llcp_core.c:159)<br /> nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)<br /> nfc_llcp_local_put (net/nfc/llcp_core.c:181)<br /> llcp_sock_destruct (net/nfc/llcp_sock.c:959)<br /> __sk_destruct (net/core/sock.c:2133)<br /> sk_destruct (net/core/sock.c:2181)<br /> __sk_free (net/core/sock.c:2192)<br /> sk_free (net/core/sock.c:2203)<br /> llcp_sock_release (net/nfc/llcp_sock.c:646)<br /> __sock_release (net/socket.c:650)<br /> sock_close (net/socket.c:1365)<br /> __fput (fs/file_table.c:306)<br /> task_work_run (kernel/task_work.c:179)<br /> ptrace_notify (kernel/signal.c:2354)<br /> syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)<br /> syscall_exit_to_user_mode (kernel/entry/common.c:296)<br /> do_syscall_64 (arch/x86/entry/common.c:86)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)<br /> <br /> Allocated by task 4719:<br /> kasan_save_stack (mm/kasan/common.c:45)<br /> __kasan_slab_alloc (mm/kasan/common.c:325)<br /> slab_post_alloc_hook (mm/slab.h:766)<br /> kmem_cache_alloc_node (mm/slub.c:3497)<br /> __alloc_skb (net/core/skbuff.c:552)<br /> pn533_recv_response (drivers/nfc/pn533/usb.c:65)<br /> __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)<br /> usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)<br /> tasklet_action_common.isra.0 (kernel/softirq.c:797)<br /> __do_softirq (kernel/softirq.c:571)<br /> <br /> Freed by task 1901:<br /> kasan_save_stack (mm/kasan/common.c:45)<br /> kasan_set_track (mm/kasan/common.c:52)<br /> kasan_save_free_info (mm/kasan/genericdd.c:518)<br /> __kasan_slab_free (mm/kasan/common.c:236)<br /> kmem_cache_free (mm/slub.c:3809)<br /> kfree_skbmem (net/core/skbuff.c:874)<br /> kfree_skb (net/core/skbuff.c:931)<br /> local_cleanup (net/nfc/llcp_core.c:159)<br /> nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)<br /> nfc_unregister_device (net/nfc/core.c:1179)<br /> pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)<br /> pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)<br /> usb_unbind_interface (drivers/usb/core/driver.c:458)<br /> device_release_driver_internal (drivers/base/dd.c:1279)<br /> bus_remove_device (drivers/base/bus.c:529)<br /> device_del (drivers/base/core.c:3665)<br /> usb_disable_device (drivers/usb/core/message.c:1420)<br /> usb_disconnect (drivers/usb/core.c:2261)<br /> hub_event (drivers/usb/core/hub.c:5833)<br /> process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)<br /> worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)<br /> kthread (kernel/kthread.c:319)<br /> ret_from_fork (arch/x86/entry/entry_64.S:301)

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.9 (including) 4.14.305 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.272 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.231 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.166 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.91 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.9 (excluding)
cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools