| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100131-CVE-2023-53515-abe8@gregkh> Date: Wed, 1 Oct 2025 13:46:07 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53515: virtio-mmio: don't break lifecycle of vm_dev From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: don't break lifecycle of vm_dev vm_dev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct. Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_dev release callback, the memory is freed when the platform_device is removed. Resulting in a use-after-free when finally the callback is to be called. To easily see the problem, compile the kernel with CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs. The fix is easy, don't use devres in this case. Found during my research about object lifetime problems. The Linux kernel CVE team has assigned CVE-2023-53515 to this issue. Affected and fixed versions =========================== Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 4.19.293 with commit 97a2d55ead76358245b446efd87818e919196d7a Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 5.4.255 with commit b788ad3b2468512339c05f23692e36860264e674 Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 5.10.192 with commit 3ff54d904fafabd0912796785e53cce4e69ca123 Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 5.15.128 with commit 5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 6.1.47 with commit af5818c35173e096085c6ae2e3aac605d3d15e41 Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 6.4.12 with commit 2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e Issue introduced in 4.15 with commit 7eb781b1bbb7136fe78fb8c28c1c223c61fa32b5 and fixed in 6.5 with commit 55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53515 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/virtio/virtio_mmio.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/97a2d55ead76358245b446efd87818e919196d7a https://git.kernel.org/stable/c/b788ad3b2468512339c05f23692e36860264e674 https://git.kernel.org/stable/c/3ff54d904fafabd0912796785e53cce4e69ca123 https://git.kernel.org/stable/c/5b7d5c2dd664eb8b9a06ecbc06e28d39359c422e https://git.kernel.org/stable/c/af5818c35173e096085c6ae2e3aac605d3d15e41 https://git.kernel.org/stable/c/2dcb368fe5a8eee498ca75c93a18ce2f3b0d6a8e https://git.kernel.org/stable/c/55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a
Powered by blists - more mailing lists