CVE-2024-50073

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: n_gsm: Fix use-after-free in gsm_cleanup_mux<br /> <br /> BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0<br /> drivers/tty/n_gsm.c:3160 [n_gsm]<br /> Read of size 8 at addr ffff88815fe99c00 by task poc/3379<br /> CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56<br /> Hardware name: VMware, Inc. VMware Virtual Platform/440BX<br /> Desktop Reference Platform, BIOS 6.00 11/12/2020<br /> Call Trace:<br /> <br /> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]<br /> __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389<br /> update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500<br /> __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846<br /> __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107<br /> __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]<br /> ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195<br /> ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79<br /> __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338<br /> __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> Allocated by task 65:<br /> gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]<br /> gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]<br /> gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]<br /> gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]<br /> tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391<br /> tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39<br /> flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445<br /> process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229<br /> worker_thread+0x3dc/0x950 kernel/workqueue.c:3391<br /> kthread+0x2a3/0x370 kernel/kthread.c:389<br /> ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257<br /> <br /> Freed by task 3367:<br /> kfree+0x126/0x420 mm/slub.c:4580<br /> gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]<br /> gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]<br /> tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818<br /> <br /> [Analysis]<br /> gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux<br /> can be freed by multi threads through ioctl,which leads<br /> to the occurrence of uaf. Protect it by gsm tx lock.