CVE-2023-52872 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix race condition in status line change on dead connections gsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all timers, removing the virtual tty devices and clearing the data queues. This procedure, however, may cause subsequent changes of the virtual modem status lines of a DLCI. More data is being added the outgoing data queue and the deleted kick timer is restarted to handle this. At this point many resources have already been removed by the cleanup procedure. Thus, a kernel panic occurs. Fix this by proving in gsm_modem_update() that the cleanup procedure has not been started and the mux is still alive. Note that writing to a virtual tty is already protected by checks against the DLCI specific connection state.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890
https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243
https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444
https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a
https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593
https://lore.kernel.org/linux-cve-announce/2024052120-CVE-2023-52872-48fd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-52872
https://www.cve.org/CVERecord?id=CVE-2023-52872

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T15:32:06.610Z

Updated: 2024-08-02T23:11:36.237Z

Reserved: 2024-05-21T15:19:24.264Z

Link: CVE-2023-52872

Vulnrichment

Updated: 2024-08-02T23:11:36.237Z

NVD

Status : Awaiting Analysis

Published: 2024-05-21T16:15:23.990

Modified: 2024-05-21T16:53:56.550

Link: CVE-2023-52872

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2023-52872 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52872", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T15:19:24.264Z", "datePublished": "2024-05-21T15:32:06.610Z", "dateUpdated": "2024-08-02T23:11:36.237Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:18:49.850Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/n_gsm.c"], "versions": [{"version": "dd37f6573878", "lessThan": "81a4dd5e6c78", "status": "affected", "versionType": "git"}, {"version": "c568f7086c6e", "lessThan": "df6cfab66ff2", "status": "affected", "versionType": "git"}, {"version": "c568f7086c6e", "lessThan": "19d34b73234a", "status": "affected", "versionType": "git"}, {"version": "c568f7086c6e", "lessThan": "ce4df90333c4", "status": "affected", "versionType": "git"}, {"version": "c568f7086c6e", "lessThan": "3a75b205de43", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/n_gsm.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.138", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.62", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.5.11", "lessThanOrEqual": "6.5.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.1", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444"}, {"url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593"}, {"url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890"}, {"url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a"}, {"url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243"}], "title": "tty: n_gsm: fix race condition in status line change on dead connections", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:43:05.660039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:24:08.975Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.237Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.237Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-29T18:43:05.660039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-29T18:43:09.022Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "tty: n_gsm: fix race condition in status line change on dead connections", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "dd37f6573878", "lessThan": "81a4dd5e6c78", "versionType": "git"}, {"status": "affected", "version": "c568f7086c6e", "lessThan": "df6cfab66ff2", "versionType": "git"}, {"status": "affected", "version": "c568f7086c6e", "lessThan": "19d34b73234a", "versionType": "git"}, {"status": "affected", "version": "c568f7086c6e", "lessThan": "ce4df90333c4", "versionType": "git"}, {"status": "affected", "version": "c568f7086c6e", "lessThan": "3a75b205de43", "versionType": "git"}], "programFiles": ["drivers/tty/n_gsm.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.0"}, {"status": "unaffected", "version": "0", "lessThan": "6.0", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.138", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.62", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.5.11", "versionType": "custom", "lessThanOrEqual": "6.5.*"}, {"status": "unaffected", "version": "6.6.1", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/tty/n_gsm.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444"}, {"url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593"}, {"url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890"}, {"url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a"}, {"url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:18:49.850Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52872", "state": "PUBLISHED", "dateUpdated": "2024-08-02T23:11:36.237Z", "dateReserved": "2024-05-21T15:19:24.264Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:32:06.610Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix race condition in status line change on dead connections\n\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\n\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\n\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: n_gsm: corrige la condici\u00f3n de ejecuci\u00f3n en la l\u00ednea de estado, cambia en conexiones inactivas gsm_cleanup_mux() limpia el gsm cerrando todos los DLCI, deteniendo todos los temporizadores, eliminando los dispositivos tty virtuales y limpiando el colas de datos. Sin embargo, este procedimiento puede provocar cambios posteriores en las l\u00edneas de estado del m\u00f3dem virtual de un DLCI. Se agregan m\u00e1s datos a la cola de datos salientes y el temporizador de eliminaci\u00f3n eliminado se reinicia para manejar esto. En este punto, el procedimiento de limpieza ya ha eliminado muchos recursos. Por tanto, se produce un p\u00e1nico en el n\u00facleo. Solucione este problema demostrando en gsm_modem_update() que el procedimiento de limpieza no se ha iniciado y que el mux sigue activo. Tenga en cuenta que la escritura en un tty virtual ya est\u00e1 protegida mediante comprobaciones del estado de conexi\u00f3n espec\u00edfico de DLCI."}], "id": "CVE-2023-52872", "lastModified": "2024-05-21T16:53:56.550", "metrics": {}, "published": "2024-05-21T16:15:23.990", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19d34b73234af542cc8a218cf398dee73cdb1890"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a75b205de43365f80a33b98ec9289785da56243"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/81a4dd5e6c78f5d8952fa8c9d36565db1fe01444"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ce4df90333c4fe65acb8b5089fdfe9b955ce976a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/df6cfab66ff2a44bd23ad5dd5309cb3421bb6593"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tty: n_gsm: fix race condition in status line change on dead connections", "id": "2282733", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282733"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntty: n_gsm: fix race condition in status line change on dead connections\ngsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all\ntimers, removing the virtual tty devices and clearing the data queues.\nThis procedure, however, may cause subsequent changes of the virtual modem\nstatus lines of a DLCI. More data is being added the outgoing data queue\nand the deleted kick timer is restarted to handle this. At this point many\nresources have already been removed by the cleanup procedure. Thus, a\nkernel panic occurs.\nFix this by proving in gsm_modem_update() that the cleanup procedure has\nnot been started and the mux is still alive.\nNote that writing to a virtual tty is already protected by checks against\nthe DLCI specific connection state."], "name": "CVE-2023-52872", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52872\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52872\nhttps://lore.kernel.org/linux-cve-announce/2024052120-CVE-2023-52872-48fd@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.138, kernel 6.1.62, kernel 6.5.11, kernel 6.6.1, kernel 6.7"}