lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025120842-CVE-2023-53747-ae4a@gregkh>
Date: Mon,  8 Dec 2025 10:19:46 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53747: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF

After a call to console_unlock() in vcs_write() the vc_data struct can be
freed by vc_port_destruct(). Because of that, the struct vc_data pointer
must be reloaded in the while loop in vcs_write() after console_lock() to
avoid a UAF when vcs_size() is called.

Syzkaller reported a UAF in vcs_size().

BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119

Call Trace:
 <TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_write (drivers/tty/vt/vc_screen.c:664)
vfs_write (fs/read_write.c:582 fs/read_write.c:564)
...
 <TASK>

Allocated by task 1213:
kmalloc_trace (mm/slab_common.c:1064)
vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
    drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
con_install (drivers/tty/vt/vt.c:3334)
tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
    drivers/tty/tty_io.c:1392)
tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:921)
vfs_open (fs/open.c:1052)
...

Freed by task 4116:
kfree (mm/slab_common.c:1016)
vc_port_destruct (drivers/tty/vt/vt.c:1044)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2778)
...

The buggy address belongs to the object at ffff8880beab8800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
 freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)

The buggy address belongs to the physical page:
page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
    index:0x0 pfn:0xbeab8
head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
    pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint

The Linux kernel CVE team has assigned CVE-2023-53747 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 4.14.327 with commit 934de9a9b659785fed3e820bc0c813a460c71fea
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 4.19.284 with commit 0deff678157333d775af190f84696336cdcccd6d
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 5.4.244 with commit a4e3c4c65ae8510e01352c9a4347e05c035b2ce2
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 5.10.181 with commit 11dddfbb7a4e62489b01074d6c04d9d1b42e4047
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 5.15.113 with commit e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 6.1.30 with commit 3338d0b9acde770ee588eead5cac32c25e7048fc
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 6.3.4 with commit 1de42e7653d6714a7507ba6696151a1fa028c69f
	Issue introduced in 2.6.38 with commit ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff and fixed in 6.4 with commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53747
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/tty/vt/vc_screen.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea
	https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d
	https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2
	https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047
	https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67
	https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc
	https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f
	https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ