CVE-2023-52973

27.03.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

After a call to console_unlock() in vcs_read() the vc_data struct can be
freed by vc_deallocate(). Because of that, the struct vc_data pointer
load must be done at the top of while loop in vcs_read() to avoid a UAF
when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537

CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
Call Trace:
  <TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:350)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_read (drivers/tty/vt/vc_screen.c:415)
vfs_read (fs/read_write.c:468 fs/read_write.c:450)
...
  </TASK>

Allocated by task 1191:
...
kmalloc_trace (mm/slab_common.c:1069)
vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
     drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
con_install (drivers/tty/vt/vt.c:3383)
tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413
     drivers/tty/tty_io.c:1390)
tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:883)
vfs_open (fs/open.c:1014)
...

Freed by task 1548:
...
kfree (mm/slab_common.c:1021)
vc_port_destruct (drivers/tty/vt/vt.c:1094)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2776)
...

The buggy address belongs to the object at ffff888113747800
  which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
  1024-byte region [ffff888113747800, ffff888113747c00)

The buggy address belongs to the physical page:
page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
     index:0x0 pfn:0x113740
head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0
     compound_pincount:0
anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                   ^
  ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Vendor	Product	Version
linux	linux_kernel	2.6.38 ≤ 𝑥 < 4.14.329
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.273
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.232
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.168
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.93
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.11
linux	linux_kernel	6.2:rc1
linux	linux_kernel	6.2:rc2
linux	linux_kernel	6.2:rc3
linux	linux_kernel	6.2:rc4
linux	linux_kernel	6.2:rc5
linux	linux_kernel	6.2:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.19-1 fixed
sid	6.12.20-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

linux-azure

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

linux-nvidia

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-nvidia-lowlatency

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-nvidia-tegra

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-tegra-igx

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oracle

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-raspi

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-raspi-realtime

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-riscv

oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht spezifizierte Effekte zu erzielen.
Published: 2025-03-27T23:00:00+00:00

References

https://git.kernel.org/stable/c/226fae124b2dac217ea5436060d623ff3385bc34

https://git.kernel.org/stable/c/55515d7d8743b71b80bfe68e89eb9d92630626ab

https://git.kernel.org/stable/c/6332f52f44b9776568bf3c0b714ddfb0bb175e78

https://git.kernel.org/stable/c/8506f16aae9daf354e3732bcfd447e2a97f023df

https://git.kernel.org/stable/c/af79ea9a2443016f64d8fd8d72020cc874f0e066

https://git.kernel.org/stable/c/d0332cbf53dad06a22189cc341391237f4ea6d9f

https://git.kernel.org/stable/c/fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18