CVE-2023-52509 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ravb: Fix use-after-free issue in ravb_tx_timeout_work() The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after ravb_remove() was called like below: CPU0 CPU1 ravb_tx_timeout() ravb_remove() unregister_netdev() free_netdev(ndev) // free priv ravb_tx_timeout_work() // use priv unregister_netdev() will call .ndo_stop() so that ravb_stop() is called. And, after phy_stop() is called, netif_carrier_off() is also called. So that .ndo_tx_timeout() will not be called after phy_stop().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705
https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89
https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6
https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5
https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965
https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82
https://lore.kernel.org/linux-cve-announce/2024030250-CVE-2023-52509-997c@gregkh/T/#u
https://nvd.nist.gov/vuln/detail/CVE-2023-52509
https://www.cve.org/CVERecord?id=CVE-2023-52509

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-03-02T21:52:22.006Z

Updated: 2024-11-04T14:48:15.608Z

Reserved: 2024-02-20T12:30:33.315Z

Link: CVE-2023-52509

Vulnrichment

Updated: 2024-08-02T23:03:20.848Z

NVD

Status : Awaiting Analysis

Published: 2024-03-02T22:15:47.540

Modified: 2024-03-04T13:58:23.447

Link: CVE-2023-52509

Redhat

Severity : Low

Publid Date: 2024-03-02T00:00:00Z

Links: CVE-2023-52509 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52509", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-20T12:30:33.315Z", "datePublished": "2024-03-02T21:52:22.006Z", "dateUpdated": "2024-11-04T14:48:15.608Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:15.608Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/renesas/ravb_main.c"], "versions": [{"version": "c156633f1353", "lessThan": "65d34cfd4e34", "status": "affected", "versionType": "git"}, {"version": "c156633f1353", "lessThan": "db9aafa19547", "status": "affected", "versionType": "git"}, {"version": "c156633f1353", "lessThan": "616761cf9df9", "status": "affected", "versionType": "git"}, {"version": "c156633f1353", "lessThan": "6f6fa8061f75", "status": "affected", "versionType": "git"}, {"version": "c156633f1353", "lessThan": "105abd68ad8f", "status": "affected", "versionType": "git"}, {"version": "c156633f1353", "lessThan": "397144287071", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/renesas/ravb_main.c"], "versions": [{"version": "4.2", "status": "affected"}, {"version": "0", "lessThan": "4.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.259", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.199", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.136", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.59", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.5.8", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5"}, {"url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82"}, {"url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6"}, {"url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965"}, {"url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705"}, {"url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89"}], "title": "ravb: Fix use-after-free issue in ravb_tx_timeout_work()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T20:38:43.674426Z", "id": "CVE-2023-52509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T20:38:50.426Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.848Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:03:20.848Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T20:38:43.674426Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T20:38:48.127Z"}}], "cna": {"title": "ravb: Fix use-after-free issue in ravb_tx_timeout_work()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "c156633f1353", "lessThan": "65d34cfd4e34", "versionType": "git"}, {"status": "affected", "version": "c156633f1353", "lessThan": "db9aafa19547", "versionType": "git"}, {"status": "affected", "version": "c156633f1353", "lessThan": "616761cf9df9", "versionType": "git"}, {"status": "affected", "version": "c156633f1353", "lessThan": "6f6fa8061f75", "versionType": "git"}, {"status": "affected", "version": "c156633f1353", "lessThan": "105abd68ad8f", "versionType": "git"}, {"status": "affected", "version": "c156633f1353", "lessThan": "397144287071", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/renesas/ravb_main.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.2"}, {"status": "unaffected", "version": "0", "lessThan": "4.2", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.259", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.199", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.136", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.59", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.8", "versionType": "semver", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/renesas/ravb_main.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5"}, {"url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82"}, {"url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6"}, {"url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965"}, {"url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705"}, {"url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:48:15.608Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52509", "state": "PUBLISHED", "dateUpdated": "2024-11-04T14:48:15.608Z", "dateReserved": "2024-02-20T12:30:33.315Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-03-02T21:52:22.006Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\n\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\n\nCPU0\t\t\tCPU1\n\t\t\travb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\n\t\t\travb_tx_timeout_work()\n\t\t\t// use priv\n\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ravb: soluciona el problema de Use After Free en ravb_tx_timeout_work(). Ravb_stop() deber\u00eda llamar a cancel_work_sync(). De lo contrario, ravb_tx_timeout_work() es posible usar el privilegio liberado despu\u00e9s de que se llam\u00f3 a ravb_remove() como se muestra a continuaci\u00f3n: CPU0 CPU1 ravb_tx_timeout() ravb_remove() unregister_netdev() free_netdev(ndev) // priv libre ravb_tx_timeout_work() // usa priv unregister_netdev() llamar\u00e1 a .ndo_stop() para que se llame a ravb_stop(). Y, despu\u00e9s de llamar a phy_stop(), tambi\u00e9n se llama a netif_carrier_off(). De modo que .ndo_tx_timeout() no ser\u00e1 llamado despu\u00e9s de phy_stop()."}], "id": "CVE-2023-52509", "lastModified": "2024-03-04T13:58:23.447", "metrics": {}, "published": "2024-03-02T22:15:47.540", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/105abd68ad8f781985113aee2e92e0702b133705"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3971442870713de527684398416970cf025b4f89"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/616761cf9df9af838c0a1a1232a69322a9eb67e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65d34cfd4e347054eb4193bc95d9da7eaa72dee5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6f6fa8061f756aedb93af12a8a5d3cf659127965"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/db9aafa19547833240f58c2998aed7baf414dc82"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ravb: Fix use-after-free issue in ravb_tx_timeout_work()", "id": "2267774", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2267774"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nravb: Fix use-after-free issue in ravb_tx_timeout_work()\nThe ravb_stop() should call cancel_work_sync(). Otherwise,\nravb_tx_timeout_work() is possible to use the freed priv after\nravb_remove() was called like below:\nCPU0CPU1\nravb_tx_timeout()\nravb_remove()\nunregister_netdev()\nfree_netdev(ndev)\n// free priv\nravb_tx_timeout_work()\n// use priv\nunregister_netdev() will call .ndo_stop() so that ravb_stop() is\ncalled. And, after phy_stop() is called, netif_carrier_off()\nis also called. So that .ndo_tx_timeout() will not be called\nafter phy_stop()."], "name": "CVE-2023-52509", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52509\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52509\nhttps://lore.kernel.org/linux-cve-announce/2024030250-CVE-2023-52509-997c@gregkh/T/#u"], "threat_severity": "Low", "upstream_fix": "kernel 5.4.259, kernel 5.10.199, kernel 5.15.136, kernel 6.1.59, kernel 6.5.8, kernel 6.6"}