CVE-2023-52439: uio: Fix use-after-free in uio_open
In the Linux kernel, the following vulnerability has been resolved:
uio: Fix use-after-free in uioopen
core-1 core-2 ------------------------------------------------------- uiounregisterdevice uioopen idev = idrfind() deviceunregister(&idev->dev) putdevice(&idev->dev) uiodevicerelease getdevice(&idev->dev) kfree(idev) uiofreeminor(minor) uiorelease putdevice(&idev->dev) kfree(idev) -------------------------------------------------------
In the core-1 uiounregisterdevice(), the deviceunregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 deviceunregister, putdevice and before doing kfree, the core-2 may getdevice. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uiorelease and putdevice, the idev will be double freed.
To address this issue, we can get idev atomic & inc idev reference with minorlock.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52439?
CVE-2023-52439 has a moderate severity level due to its potential for a use-after-free vulnerability in the Linux kernel.
How do I fix CVE-2023-52439?
To fix CVE-2023-52439, upgrade to a patched version of the Linux kernel such as 5.10.223-1 or higher.
Which versions of the Linux kernel are affected by CVE-2023-52439?
CVE-2023-52439 affects Linux kernel versions from 4.18.0 to 6.6.13, excluding version 5.10.223 and higher.
Can CVE-2023-52439 be exploited remotely?
CVE-2023-52439 may allow local users to gain elevated privileges, but it does not appear to be exploitable remotely.
What components of the Linux kernel are impacted by CVE-2023-52439?
CVE-2023-52439 impacts the User Input/Output (uio) subsystem within the Linux kernel.