CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved: class:
fix use-after-free in class_register() The lock_class_key is still
registered and can be found in lock_keys_hash hlist after subsys_private is
freed in error handler path.A task who iterate over the lock_keys_hash
later may cause use-after-free.So fix that up and unregister the
lock_class_key before kfree(cp). On our platform, a driver fails to
kset_register because of creating duplicate filename ‘/class/xxx’.With
Kasan enabled, it prints a invalid-access bug report. KASAN bug report:
BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc Write of
size 8 at addr 15ffff808b8c0368 by task modprobe/252 Pointer tag: [15],
memory tag: [fe] CPU: 7 PID: 252 Comm: modprobe Tainted: G W
6.6.0-mainline-maybe-dirty #1 Call trace: dump_backtrace+0x1b0/0x1e4
show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8
kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x88/0x98
lockdep_register_key+0x19c/0x1bc class_register+0x94/0x1ec
init_module+0xbc/0xf48 [rfkill] do_one_initcall+0x17c/0x72c
do_init_module+0x19c/0x3f8 … Memory state around the buggy address:
ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a
ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe
>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^
ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 As
CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access not
use-after-free here.In this case, modprobe is manipulating the corrupted
lock_keys_hash hlish where lock_class_key is already freed before. It’s
worth noting that this only can happen if lockdep is enabled, which is not
true for normal system.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-azure | < 6.5.0-1022.23 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1022.23~22.04.1 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-gcp | < 6.5.0-1022.24 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < 6.5.0-1022.24~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-hwe-6.5 | < 6.5.0-41.41~22.04.2 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-laptop | < 6.5.0-1017.20 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-lowlatency | < 6.5.0-41.41.1 | UNKNOWN |
git.kernel.org/linus/93ec4a3b76404bce01bd5c9032bef5df6feb1d62 (6.8-rc1)
launchpad.net/bugs/cve/CVE-2023-52468
nvd.nist.gov/vuln/detail/CVE-2023-52468
security-tracker.debian.org/tracker/CVE-2023-52468
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2023-52468