{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-52564","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-03-02T21:55:42.567Z","datePublished":"2024-03-02T21:59:36.867Z","dateUpdated":"2025-05-04T12:49:15.207Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:49:15.207Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nThis reverts commit 9b9c8195f3f0d74a826077fc1c01b9ee74907239.\n\nThe commit above is reverted as it did not solve the original issue.\n\ngsm_cleanup_mux() tries to free up the virtual ttys by calling\ngsm_dlci_release() for each available DLCI. There, dlci_put() is called to\ndecrease the reference counter for the DLCI via tty_port_put() which\nfinally calls gsm_dlci_free(). This already clears the pointer which is\nbeing checked in gsm_cleanup_mux() before calling gsm_dlci_release().\nTherefore, it is not necessary to clear this pointer in gsm_cleanup_mux()\nas done in the reverted commit. The commit introduces a null pointer\ndereference:\n <TASK>\n ? __die+0x1f/0x70\n ? page_fault_oops+0x156/0x420\n ? search_exception_tables+0x37/0x50\n ? fixup_exception+0x21/0x310\n ? exc_page_fault+0x69/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? tty_port_put+0x19/0xa0\n gsmtty_cleanup+0x29/0x80 [n_gsm]\n release_one_tty+0x37/0xe0\n process_one_work+0x1e6/0x3e0\n worker_thread+0x4c/0x3d0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe1/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n </TASK>\n\nThe actual issue is that nothing guards dlci_put() from being called\nmultiple times while the tty driver was triggered but did not yet finished\ncalling gsm_dlci_free()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tty/n_gsm.c"],"versions":[{"version":"8fc0eabaa73bbd9bd705577071564616da5c8c61","lessThan":"6d5c8862932d31a810b6545f7d69ecc124402c6e","status":"affected","versionType":"git"},{"version":"5138c228311a863c3cf937b94a3ab4c87f1f70c4","lessThan":"a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb","status":"affected","versionType":"git"},{"version":"9615ca54bc138e35353a001e8b5d4824dce72188","lessThan":"c61d0b87a7028c2c10faffc524d748334c7b9827","status":"affected","versionType":"git"},{"version":"9b9c8195f3f0d74a826077fc1c01b9ee74907239","lessThan":"2bff660e0ff349dee84dc4f6f6d10da4497f5b28","status":"affected","versionType":"git"},{"version":"9b9c8195f3f0d74a826077fc1c01b9ee74907239","lessThan":"29346e217b8ab8a52889b88f00b268278d6b7668","status":"affected","versionType":"git"},{"version":"74a8d6f50cc90ed0061997db51dfa81a62b0f835","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/tty/n_gsm.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"5.10.198","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.134","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.56","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.5.6","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.190","versionEndExcluding":"5.10.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.124","versionEndExcluding":"5.15.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.43","versionEndExcluding":"6.1.56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.5.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e"},{"url":"https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb"},{"url":"https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827"},{"url":"https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28"},{"url":"https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668"}],"title":"Revert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-52564","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-03-07T20:09:41.921733Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:21:06.965Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T23:03:20.987Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/6d5c8862932d31a810b6545f7d69ecc124402c6e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a48d2bcd23f2c98d575bc2f9b7a3fbd16aeea9eb","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c61d0b87a7028c2c10faffc524d748334c7b9827","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2bff660e0ff349dee84dc4f6f6d10da4497f5b28","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/29346e217b8ab8a52889b88f00b268278d6b7668","tags":["x_transferred"]}]}]}}