Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2023-52439

Public on 2024-02-20
Modified on 2024-02-28
Description

In the Linux kernel, the following vulnerability has been resolved:

uio: Fix use-after-free in uio_open

core-1 core-2
-------------------------------------------------------
uio_unregister_device uio_open
idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
uio_release
put_device(&idev->dev)
kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

Severity
Medium
See what this means
CVSS v3 Base Score
4.4
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Kernel-5.10 Extra kernel 2024-02-01 20:10 ALAS2KERNEL-5.10-2024-048
Amazon Linux 2 - Kernel-5.15 Extra kernel 2024-02-01 20:10 ALAS2KERNEL-5.15-2024-036
Amazon Linux 2 - Kernel-5.4 Extra kernel 2024-02-01 20:10 ALAS2KERNEL-5.4-2024-059
Amazon Linux 2023 kernel 2024-02-15 02:51 ALAS2023-2024-519

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
NVD CVSSv3 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2023-52439 Mitre: CVE-2023-52439 FAQs regarding Amazon Linux ALAS/CVE Severity