diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-09 16:32:23 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-09 16:32:23 +0000 |
commit | 260baf41532d1cd3ea6725da9667dffb91a04ec7 (patch) | |
tree | 8c9478a1d6be3e485d0b20e49faaf86e2b8c9e65 | |
parent | 4e7f940a129c09c47e85a2d3c2d01ad23367e024 (diff) | |
download | vulns-260baf41532d1cd3ea6725da9667dffb91a04ec7.tar.gz |
add CVE-2023-1851
Test version year stuff and more version matching.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | cve/published/2023/CVE-2023-1851 (renamed from cve/reserved/2023/CVE-2023-1851) | 0 | ||||
-rw-r--r-- | cve/published/2023/CVE-2023-1851.json | 90 | ||||
-rw-r--r-- | cve/published/2023/CVE-2023-1851.mbox | 45 | ||||
-rw-r--r-- | cve/published/2023/CVE-2023-1851.sha1 | 1 |
4 files changed, 136 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-1851 b/cve/published/2023/CVE-2023-1851 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-1851 +++ b/cve/published/2023/CVE-2023-1851 diff --git a/cve/published/2023/CVE-2023-1851.json b/cve/published/2023/CVE-2023-1851.json new file mode 100644 index 00000000..aa577872 --- /dev/null +++ b/cve/published/2023/CVE-2023-1851.json @@ -0,0 +1,90 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local\n\nllcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls\nnfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for\ngetting the headroom and tailroom needed for skb allocation.\n\nParallelly the nfc_dev can be freed, as the refcount is decreased via\nnfc_free_device(), leading to a UAF reported by Syzkaller, which can\nbe summarized as follows:\n\n(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()\n\t-> nfc_alloc_send_skb() -> Dereference *nfc_dev\n(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()\n\t-> put_device() -> nfc_release() -> Free *nfc_dev\n\nWhen a reference to llcp_local is acquired, we do not acquire the same\nfor the nfc_dev. This leads to freeing even when the llcp_local is in\nuse, and this is the case with the UAF described above too.\n\nThus, when we acquire a reference to llcp_local, we should acquire a\nreference to nfc_dev, and release the references appropriately later.\n\nReferences for llcp_local is initialized in nfc_llcp_register_device()\n(which is called by nfc_register_device()). Thus, we should acquire a\nreference to nfc_dev there.\n\nnfc_unregister_device() calls nfc_llcp_unregister_device() which in\nturn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is\nappropriately released later.\n\nReported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d\nFixes: c7aa12252f51 (\"NFC: Take a reference on the LLCP local pointer when creating a socket\")\nReviewed-by: Suman Ghosh <sumang@marvell.com>\nSigned-off-by: Siddh Raman Pant <code@siddh.me>\nReviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>\nSigned-off-by: David S. Miller <davem@davemloft.net>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "versions": [ + { + "version": "3.6", + "lessThan": "4.14.336", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "4.19.305", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "5.4.267", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "5.10.208", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "5.15.147", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "6.1.72", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "6.6.11", + "status": "affected", + "versionType": "custom" + }, + { + "version": "3.6", + "lessThan": "6.7", + "status": "affected", + "versionType": "custom" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/torvalds/c/c95f919567d6f1914f13350af61a1b044ac85014" + } + ], + "title": "nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local", + "x_generator": { + "engine": "bippy-7de06c7ff7c8" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-1851", + "requesterUserId": "gregkh@linuxfoundation.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-1851.mbox b/cve/published/2023/CVE-2023-1851.mbox new file mode 100644 index 00000000..35117dc2 --- /dev/null +++ b/cve/published/2023/CVE-2023-1851.mbox @@ -0,0 +1,45 @@ +From: Linux Kernel CVE team <cve@kernel.org> +Subject: CVE-2023-1851: nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local + +CVE-2023-1851 has been assigned for the following issue: + +nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local + +llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls +nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for +getting the headroom and tailroom needed for skb allocation. + +Parallelly the nfc_dev can be freed, as the refcount is decreased via +nfc_free_device(), leading to a UAF reported by Syzkaller, which can +be summarized as follows: + +(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame() + -> nfc_alloc_send_skb() -> Dereference *nfc_dev +(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device() + -> put_device() -> nfc_release() -> Free *nfc_dev + +When a reference to llcp_local is acquired, we do not acquire the same +for the nfc_dev. This leads to freeing even when the llcp_local is in +use, and this is the case with the UAF described above too. + +Thus, when we acquire a reference to llcp_local, we should acquire a +reference to nfc_dev, and release the references appropriately later. + +References for llcp_local is initialized in nfc_llcp_register_device() +(which is called by nfc_register_device()). Thus, we should acquire a +reference to nfc_dev there. + +nfc_unregister_device() calls nfc_llcp_unregister_device() which in +turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is +appropriately released later. + +Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Reviewed-by: Suman Ghosh <sumang@marvell.com> +Signed-off-by: Siddh Raman Pant <code@siddh.me> +Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +Affected versions: + diff --git a/cve/published/2023/CVE-2023-1851.sha1 b/cve/published/2023/CVE-2023-1851.sha1 new file mode 100644 index 00000000..0c3c966b --- /dev/null +++ b/cve/published/2023/CVE-2023-1851.sha1 @@ -0,0 +1 @@ +c95f919567d6f1914f13350af61a1b044ac85014 |