7.8

CVE-2023-53484

lib: cpu_rmap: Avoid use after free on rmap->obj array entries

In the Linux kernel, the following vulnerability has been resolved:

lib: cpu_rmap: Avoid use after free on rmap->obj array entries

When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.

Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().

The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 3.8.1 < 4.14.316
LinuxLinux Kernel Version >= 4.15 < 4.19.284
LinuxLinux Kernel Version >= 4.20 < 5.4.244
LinuxLinux Kernel Version >= 5.5 < 5.10.181
LinuxLinux Kernel Version >= 5.11 < 5.15.113
LinuxLinux Kernel Version >= 5.16 < 6.1.30
LinuxLinux Kernel Version >= 6.2 < 6.3.4
LinuxLinux Kernel Version3.8 Update-
LinuxLinux Kernel Version3.8 Updaterc4
LinuxLinux Kernel Version3.8 Updaterc5
LinuxLinux Kernel Version3.8 Updaterc6
LinuxLinux Kernel Version3.8 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.045
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/4e0473f1060aa49621d40a113afde24818101d37
Patch
https://git.kernel.org/stable/c/67bca5f1d644f4e79b694abd8052a177de81c37f
Patch
https://git.kernel.org/stable/c/981f339d2905b6a92ef59358158b326493aecac5
Patch
https://git.kernel.org/stable/c/c6ed54dd90698dc0744d669524cc1c122ded8a16
Patch
https://git.kernel.org/stable/c/c9115f49cf260d24d8b5f2d9a4b63cb31a627bb4
Patch
https://git.kernel.org/stable/c/cc2d2b3dbfb0ba57bc027fb7e1121250c50e4000
Patch
https://git.kernel.org/stable/c/d1308bd0b24cb1d78fa2747d5fa3e055cc628a48
Patch
https://git.kernel.org/stable/c/f748e15253833b771acbede14ea98f50831ac289
Patch