| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091512-CVE-2023-53219-bd20@gregkh>
Date: Mon, 15 Sep 2025 16:21:53 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53219: media: netup_unidvb: fix use-after-free at del_timer()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
media: netup_unidvb: fix use-after-free at del_timer()
When Universal DVB card is detaching, netup_unidvb_dma_fini()
uses del_timer() to stop dma->timeout timer. But when timer
handler netup_unidvb_dma_timeout() is running, del_timer()
could not stop it. As a result, the use-after-free bug could
happen. The process is shown below:
(cleanup routine) | (timer routine)
| mod_timer(&dev->tx_sim_timer, ..)
netup_unidvb_finidev() | (wait a time)
netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()
del_timer(&dma->timeout); |
| ndev->pci_dev->dev //USE
Fix by changing del_timer() to del_timer_sync().
The Linux kernel CVE team has assigned CVE-2023-53219 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 4.14.316 with commit dd5c77814f290b353917df329f36de1472d47154
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 4.19.284 with commit 90229e9ee957d4514425e4a4d82c50ab5d57ac4d
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 5.4.244 with commit 1550bcf2983ae1220cc8ab899a39a423fa7cb523
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 5.10.181 with commit f9982db735a8495eee14267cf193c806b957e942
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 5.15.113 with commit 051af3f0b7d1cd8ab7f3e2523ad8ae1af44caba3
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 6.1.30 with commit 07821524f67bf920342bc84ae8b3dea2a315a89e
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 6.3.4 with commit c8f9c05e1ebcc9c7bc211cc8b74d8fb86a8756fc
Issue introduced in 4.3 with commit 52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e and fixed in 6.4 with commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53219
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/media/pci/netup_unidvb/netup_unidvb_core.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/dd5c77814f290b353917df329f36de1472d47154
https://git.kernel.org/stable/c/90229e9ee957d4514425e4a4d82c50ab5d57ac4d
https://git.kernel.org/stable/c/1550bcf2983ae1220cc8ab899a39a423fa7cb523
https://git.kernel.org/stable/c/f9982db735a8495eee14267cf193c806b957e942
https://git.kernel.org/stable/c/051af3f0b7d1cd8ab7f3e2523ad8ae1af44caba3
https://git.kernel.org/stable/c/07821524f67bf920342bc84ae8b3dea2a315a89e
https://git.kernel.org/stable/c/c8f9c05e1ebcc9c7bc211cc8b74d8fb86a8756fc
https://git.kernel.org/stable/c/0f5bb36bf9b39a2a96e730bf4455095b50713f63
Powered by blists - more mailing lists