7
CVE-2023-52503
- EPSS 0.26%
- Veröffentlicht 02.03.2024 22:15:47
- Zuletzt bearbeitet 10.12.2024 21:26:43
- CVE-Watchlists
- Unerledigt
tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
In the Linux kernel, the following vulnerability has been resolved:
tee: amdtee: fix use-after-free vulnerability in amdtee_close_session
There is a potential race condition in amdtee_close_session that may
cause use-after-free in amdtee_open_session. For instance, if a session
has refcount == 1, and one thread tries to free this session via:
kref_put(&sess->refcount, destroy_session);
the reference count will get decremented, and the next step would be to
call destroy_session(). However, if in another thread,
amdtee_open_session() is called before destroy_session() has completed
execution, alloc_session() may return 'sess' that will be freed up
later in destroy_session() leading to use-after-free in
amdtee_open_session.
To fix this issue, treat decrement of sess->refcount and removal of
'sess' from session list in destroy_session() as a critical section, so
that it is executed atomically.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.6 < 5.10.199
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.136
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.59
Linux ≫ Linux Kernel Version >= 6.2 < 6.5.8
Linux ≫ Linux Kernel Version6.6 Updaterc1
Linux ≫ Linux Kernel Version6.6 Updaterc2
Linux ≫ Linux Kernel Version6.6 Updaterc3
Linux ≫ Linux Kernel Version6.6 Updaterc4
Linux ≫ Linux Kernel Version6.6 Updaterc5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.168 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116
https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce
https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c
https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27
https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f