add CVE-2023-1851

Test version year stuff and more version matching.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

4 files changed, 136 insertions, 0 deletions

diff --git a/cve/reserved/2023/CVE-2023-1851 b/cve/published/2023/CVE-2023-1851
index e69de29b..e69de29b 100644
--- a/cve/reserved/2023/CVE-2023-1851
+++ b/cve/published/2023/CVE-2023-1851
diff --git a/cve/published/2023/CVE-2023-1851.json b/cve/published/2023/CVE-2023-1851.json
new file mode 100644
index 00000000..aa577872
--- /dev/null
+++ b/cve/published/2023/CVE-2023-1851.json
@@ -0,0 +1,90 @@
+{
+   "containers": {
+      "cna": {
+         "providerMetadata": {
+            "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
+         },
+         "descriptions": [
+            {
+               "lang": "en",
+               "value": "nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local\n\nllcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls\nnfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for\ngetting the headroom and tailroom needed for skb allocation.\n\nParallelly the nfc_dev can be freed, as the refcount is decreased via\nnfc_free_device(), leading to a UAF reported by Syzkaller, which can\nbe summarized as follows:\n\n(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()\n\t-> nfc_alloc_send_skb() -> Dereference *nfc_dev\n(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()\n\t-> put_device() -> nfc_release() -> Free *nfc_dev\n\nWhen a reference to llcp_local is acquired, we do not acquire the same\nfor the nfc_dev. This leads to freeing even when the llcp_local is in\nuse, and this is the case with the UAF described above too.\n\nThus, when we acquire a reference to llcp_local, we should acquire a\nreference to nfc_dev, and release the references appropriately later.\n\nReferences for llcp_local is initialized in nfc_llcp_register_device()\n(which is called by nfc_register_device()). Thus, we should acquire a\nreference to nfc_dev there.\n\nnfc_unregister_device() calls nfc_llcp_unregister_device() which in\nturn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is\nappropriately released later.\n\nReported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d\nFixes: c7aa12252f51 (\"NFC: Take a reference on the LLCP local pointer when creating a socket\")\nReviewed-by: Suman Ghosh <sumang@marvell.com>\nSigned-off-by: Siddh Raman Pant <code@siddh.me>\nReviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>\nSigned-off-by: David S. Miller <davem@davemloft.net>"
+            }
+         ],
+         "affected": [
+            {
+               "product": "Linux",
+               "vendor": "Linux",
+               "defaultStatus": "affected",
+               "versions": [
+                  {
+                     "version": "3.6",
+                     "lessThan": "4.14.336",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "4.19.305",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "5.4.267",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "5.10.208",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "5.15.147",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "6.1.72",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "6.6.11",
+                     "status": "affected",
+                     "versionType": "custom"
+                  },
+                  {
+                     "version": "3.6",
+                     "lessThan": "6.7",
+                     "status": "affected",
+                     "versionType": "custom"
+                  }
+               ]
+            }
+         ],
+         "references": [
+            {
+               "url": "https://git.kernel.org/torvalds/c/c95f919567d6f1914f13350af61a1b044ac85014"
+            }
+         ],
+         "title": "nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local",
+         "x_generator": {
+            "engine": "bippy-7de06c7ff7c8"
+         }
+      }
+   },
+   "cveMetadata": {
+      "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
+      "cveID": "CVE-2023-1851",
+      "requesterUserId": "gregkh@linuxfoundation.org",
+      "serial": "1",
+      "state": "PUBLISHED"
+   },
+   "dataType": "CVE_RECORD",
+   "dataVersion": "5.0"
+}
diff --git a/cve/published/2023/CVE-2023-1851.mbox b/cve/published/2023/CVE-2023-1851.mbox
new file mode 100644
index 00000000..35117dc2
--- /dev/null
+++ b/cve/published/2023/CVE-2023-1851.mbox
@@ -0,0 +1,45 @@
+From: Linux Kernel CVE team <cve@kernel.org>
+Subject: CVE-2023-1851: nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
+
+CVE-2023-1851 has been assigned for the following issue:
+
+nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
+
+llcp_sock_sendmsg() calls nfc_llcp_send_ui_frame() which in turn calls
+nfc_alloc_send_skb(), which accesses the nfc_dev from the llcp_sock for
+getting the headroom and tailroom needed for skb allocation.
+
+Parallelly the nfc_dev can be freed, as the refcount is decreased via
+nfc_free_device(), leading to a UAF reported by Syzkaller, which can
+be summarized as follows:
+
+(1) llcp_sock_sendmsg() -> nfc_llcp_send_ui_frame()
+	-> nfc_alloc_send_skb() -> Dereference *nfc_dev
+(2) virtual_ncidev_close() -> nci_free_device() -> nfc_free_device()
+	-> put_device() -> nfc_release() -> Free *nfc_dev
+
+When a reference to llcp_local is acquired, we do not acquire the same
+for the nfc_dev. This leads to freeing even when the llcp_local is in
+use, and this is the case with the UAF described above too.
+
+Thus, when we acquire a reference to llcp_local, we should acquire a
+reference to nfc_dev, and release the references appropriately later.
+
+References for llcp_local is initialized in nfc_llcp_register_device()
+(which is called by nfc_register_device()). Thus, we should acquire a
+reference to nfc_dev there.
+
+nfc_unregister_device() calls nfc_llcp_unregister_device() which in
+turn calls nfc_llcp_local_put(). Thus, the reference to nfc_dev is
+appropriately released later.
+
+Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
+Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket")
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Affected versions:
+
diff --git a/cve/published/2023/CVE-2023-1851.sha1 b/cve/published/2023/CVE-2023-1851.sha1
new file mode 100644
index 00000000..0c3c966b
--- /dev/null
+++ b/cve/published/2023/CVE-2023-1851.sha1
@@ -0,0 +1 @@
+c95f919567d6f1914f13350af61a1b044ac85014