Bug 1210781 (CVE-2023-31082) - VUL-0: CVE-2023-31082: kernel: drivers/tty/n_gsm.c sleeping function called from an invalid context in gsmld_write
Summary: VUL-0: CVE-2023-31082: kernel: drivers/tty/n_gsm.c sleeping function called f...
Status: IN_PROGRESS
Alias: CVE-2023-31082
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/364289/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-31082:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-24 13:42 UTC by Robert Frohl
Modified: 2024-05-07 09:09 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-04-24 13:42:30 UTC
CVE-2023-31082

An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is
a sleeping function called from an invalid context in gsmld_write, which will
block the kernel.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-31082
https://www.cve.org/CVERecord?id=CVE-2023-31082
https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A@mail.gmail.com/
Comment 2 Jan Kara 2023-04-25 13:12:28 UTC
Another instance of syzkaller crash => CVE logic :-| This time in tty. Jiri, can you please have a look?
Comment 3 Jiri Slaby 2023-04-27 04:37:56 UTC
(In reply to Jan Kara from comment #2)
> Jiri, can you please have a look?

I already did :):
https://lore.kernel.org/all/5a994a13-d1f2-87a8-09e4-a877e65ed166@kernel.org/

It is not easy to fix. n_gsm is a mess. We can apply a workaround to disallow n_gsm for virtual terminals. I assume n_gsm is used only for real lines.
Comment 7 Jiri Slaby 2023-07-24 10:38:49 UTC
Still, I am not aware of a working fix, nor that someone is (or even is able to) working on this upstream.
Comment 9 Jiri Slaby 2023-10-04 10:06:16 UTC
This is a non-issue and does not warrant a CVE at all.

Assigning n_gsm to a console equals shooting to a foot.

I forgot the process, how can we dispute a CVE?

Can we just close this as WONTFIX? Or do we have to ^^ first?
Comment 10 Jiri Slaby 2023-10-04 10:11:48 UTC
(In reply to Jiri Slaby from comment #9)
> I forgot the process, how can we dispute a CVE?

Hopefully, I enqueued a request to dispute the CVE.
Comment 11 Jan Kara 2023-10-04 14:41:15 UTC
Usually we just ask security-team and someone from them handles the disputation process...
Comment 12 Jiri Slaby 2023-10-17 10:30:20 UTC
(In reply to Jiri Slaby from comment #9)
> This is a non-issue and does not warrant a CVE at all.
> 
> Assigning n_gsm to a console equals shooting to a foot.
> 
> I forgot the process, how can we dispute a CVE?

^^
Comment 13 Robert Frohl 2023-10-26 09:38:39 UTC
(In reply to Jan Kara from comment #11)
> Usually we just ask security-team and someone from them handles the
> disputation process...

Could I maybe get a more detailed comment then:

> Assigning n_gsm to a console equals shooting to a foot.

I need to provide some reasoning to revoking the CVE, not sure this would be enough to understand that this is not an issue ;)
Comment 15 Jiri Slaby 2023-11-21 11:46:23 UTC
(In reply to Robert Frohl from comment #13)
> > Assigning n_gsm to a console equals shooting to a foot.
> 
> I need to provide some reasoning to revoking the CVE, not sure this would be
> enough to understand that this is not an issue ;)

First, the operation to assign a line discipline to a tty requires root privileges. So how comes this is reported as a security issue in the first place?

Second, assigning n_gsm to a console (/dev/tty[0-9]* and similar) is not supported -- why would anyone want to do that? So since the syzkaller report is based on this invalid setup, the report is all wrong.