1218335 – (CVE-2023-6546) VUL-0: CVE-2023-6546: kernel-source,kernel-source-azure,kernel-source-rt: GSM multiplexing race condition leads to privilege escalation

Bug 1218335 (CVE-2023-6546) - VUL-0: CVE-2023-6546: kernel-source,kernel-source-azure,kernel-source-rt: GSM multiplexing race condition leads to privilege escalation

Summary: VUL-0: CVE-2023-6546: kernel-source,kernel-source-azure,kernel-source-rt: GSM...

Status:	RESOLVED FIXED

Alias:	CVE-2023-6546

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/389007/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-6546:6.4:(AV:L...
Keywords:

Depends on:
Blocks:	1222685
	Show dependency tree / graph

Clone This Bug

Reported:	2023-12-22 08:37 UTC by SMASH SMASH
Modified:	2024-06-25 18:03 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-12-22 08:37:31 UTC

A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6546
https://bugzilla.redhat.com/show_bug.cgi?id=2255498
https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3

Comment 1 Joey Lee 2023-12-25 15:51:17 UTC

(In reply to SMASH SMASH from comment #0)
> A race condition was found in the GSM 0710 tty multiplexor in the Linux
> kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl
> on the same tty file descriptor with the gsm line discipline enabled, and
> can lead to a use-after-free problem on a struct gsm_dlci while restarting
> the gsm mux. This could allow a local unprivileged user to escalate their
> privileges on the system.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6546
> https://bugzilla.redhat.com/show_bug.cgi?id=2255498
> https://github.com/torvalds/linux/commit/
> 3c4f8333b582487a2d1e02171f1465531cde53e3

commit 3c4f8333b582487a2d1e02171f1465531cde53e3         [v6.5-rc7]
Author: Yi Yang <yiyang13@huawei.com>
Date:   Fri Aug 11 11:11:21 2023 +0800

    tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
...
    Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000
    Cc: stable <stable@kernel.org>
    Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux")              [v6.5-rc4]
    Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")    [v5.18-rc5]
    Signed-off-by: Yi Yang <yiyang13@huawei.com>

Comment 2 Joey Lee 2023-12-25 16:00:20 UTC

(In reply to Joey Lee from comment #1)
> (In reply to SMASH SMASH from comment #0)
> > A race condition was found in the GSM 0710 tty multiplexor in the Linux
> > kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl
> > on the same tty file descriptor with the gsm line discipline enabled, and
> > can lead to a use-after-free problem on a struct gsm_dlci while restarting
> > the gsm mux. This could allow a local unprivileged user to escalate their
> > privileges on the system.
> > 
> > References:
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6546
> > https://bugzilla.redhat.com/show_bug.cgi?id=2255498
> > https://github.com/torvalds/linux/commit/
> > 3c4f8333b582487a2d1e02171f1465531cde53e3
> 
> commit 3c4f8333b582487a2d1e02171f1465531cde53e3         [v6.5-rc7]
> Author: Yi Yang <yiyang13@huawei.com>
> Date:   Fri Aug 11 11:11:21 2023 +0800
> 
>     tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
> ...
>     Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000
>     Cc: stable <stable@kernel.org>
>     Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux")          
> [v6.5-rc4]
>     Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")
> [v5.18-rc5]
>     Signed-off-by: Yi Yang <yiyang13@huawei.com>

15-SP6  v6.4    [affect]
15-SP5  v5.14   [update references, sent]
15-SP4  v5.14   [update references, sent]
15-SP3  v5.3    [not affect]

Comment 3 Joey Lee 2023-12-25 16:03:48 UTC

(In reply to Joey Lee from comment #2)
> (In reply to Joey Lee from comment #1)
[...snip]
> > 
> > commit 3c4f8333b582487a2d1e02171f1465531cde53e3         [v6.5-rc7]
> > Author: Yi Yang <yiyang13@huawei.com>
> > Date:   Fri Aug 11 11:11:21 2023 +0800
> > 
> >     tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
> > ...
> >     Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000
> >     Cc: stable <stable@kernel.org>
> >     Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux")          
> > [v6.5-rc4]
> >     Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")
> > [v5.18-rc5]
> >     Signed-off-by: Yi Yang <yiyang13@huawei.com>
> 
> 15-SP6  v6.4    [affect]
> 15-SP5  v5.14   [update references, sent]
> 15-SP4  v5.14   [update references, sent]
> 15-SP3  v5.3    [not affect]

Update status:

15-SP6  v6.4    [update references, sent]
15-SP5  v5.14   [update references, sent]
15-SP4  v5.14   [update references, sent]
15-SP3  v5.3    [not affect]

Comment 16 Maintenance Automation 2024-01-16 16:30:08 UTC

SUSE-SU-2024:0129-1: An update that solves 10 vulnerabilities, contains three features and has 31 security fixes can now be installed.

Category: security (important)
Bug References: 1179610, 1183045, 1193285, 1211162, 1211226, 1212584, 1214747, 1214823, 1215237, 1215696, 1215885, 1216057, 1216559, 1216776, 1217036, 1217217, 1217250, 1217602, 1217692, 1217790, 1217801, 1217933, 1217938, 1217946, 1217947, 1217980, 1217981, 1217982, 1218056, 1218139, 1218184, 1218234, 1218253, 1218258, 1218335, 1218357, 1218447, 1218515, 1218559, 1218569, 1218659
CVE References: CVE-2020-26555, CVE-2023-51779, CVE-2023-6121, CVE-2023-6531, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6931, CVE-2023-6932
Jira References: PED-3459, PED-5021, PED-7322
Sources used:
SUSE Real Time Module 15-SP4 (src): kernel-syms-rt-5.14.21-150400.15.65.1, kernel-source-rt-5.14.21-150400.15.65.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_17-1-150400.1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2024-01-16 16:30:28 UTC

SUSE-SU-2024:0115-1: An update that solves 10 vulnerabilities, contains three features and has 40 security fixes can now be installed.

Category: security (important)
Bug References: 1179610, 1183045, 1211162, 1211226, 1212139, 1212584, 1214117, 1214747, 1214823, 1215237, 1215696, 1215885, 1215952, 1216032, 1216057, 1216559, 1216776, 1217036, 1217217, 1217250, 1217602, 1217692, 1217790, 1217801, 1217822, 1217927, 1217933, 1217938, 1217946, 1217947, 1217980, 1217981, 1217982, 1218056, 1218092, 1218139, 1218184, 1218229, 1218234, 1218253, 1218258, 1218335, 1218357, 1218397, 1218447, 1218461, 1218515, 1218559, 1218569, 1218643
CVE References: CVE-2020-26555, CVE-2023-51779, CVE-2023-6121, CVE-2023-6531, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6931, CVE-2023-6932
Jira References: PED-3459, PED-5021, PED-7167
Sources used:
openSUSE Leap 15.5 (src): kernel-source-rt-5.14.21-150500.13.30.1, kernel-livepatch-SLE15-SP5-RT_Update_9-1-150500.11.3.1, kernel-syms-rt-5.14.21-150500.13.30.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_9-1-150500.11.3.1
SUSE Real Time Module 15-SP5 (src): kernel-source-rt-5.14.21-150500.13.30.1, kernel-syms-rt-5.14.21-150500.13.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2024-01-18 12:30:20 UTC

SUSE-SU-2024:0141-1: An update that solves 10 vulnerabilities, contains three features and has 41 security fixes can now be installed.

Category: security (important)
Bug References: 1108281, 1179610, 1183045, 1211162, 1211226, 1212139, 1212584, 1214117, 1214747, 1214823, 1215237, 1215696, 1215885, 1215952, 1216032, 1216057, 1216559, 1216776, 1217036, 1217217, 1217250, 1217602, 1217692, 1217790, 1217801, 1217822, 1217927, 1217933, 1217938, 1217946, 1217947, 1217980, 1217981, 1217982, 1218056, 1218092, 1218139, 1218184, 1218229, 1218234, 1218253, 1218258, 1218335, 1218357, 1218397, 1218447, 1218461, 1218515, 1218559, 1218569, 1218643
CVE References: CVE-2020-26555, CVE-2023-51779, CVE-2023-6121, CVE-2023-6531, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6931, CVE-2023-6932
Jira References: PED-3459, PED-5021, PED-7167
Sources used:
openSUSE Leap 15.5 (src): kernel-syms-azure-5.14.21-150500.33.29.1, kernel-source-azure-5.14.21-150500.33.29.1
Public Cloud Module 15-SP5 (src): kernel-syms-azure-5.14.21-150500.33.29.1, kernel-source-azure-5.14.21-150500.33.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Maintenance Automation 2024-01-18 20:30:11 UTC

SUSE-SU-2024:0160-1: An update that solves 10 vulnerabilities, contains three features and has 42 security fixes can now be installed.

Category: security (important)
Bug References: 1179610, 1183045, 1211162, 1211226, 1212139, 1212584, 1214117, 1214158, 1214747, 1214823, 1215237, 1215696, 1215885, 1215952, 1216032, 1216057, 1216559, 1216776, 1217036, 1217217, 1217250, 1217602, 1217692, 1217790, 1217801, 1217822, 1217927, 1217933, 1217938, 1217946, 1217947, 1217980, 1217981, 1217982, 1218056, 1218092, 1218139, 1218184, 1218229, 1218234, 1218253, 1218258, 1218335, 1218357, 1218397, 1218447, 1218461, 1218515, 1218559, 1218569, 1218643, 1218738
CVE References: CVE-2020-26555, CVE-2023-51779, CVE-2023-6121, CVE-2023-6531, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6931, CVE-2023-6932
Jira References: PED-3459, PED-5021, PED-7167
Sources used:
openSUSE Leap 15.5 (src): kernel-obs-build-5.14.21-150500.55.44.1, kernel-livepatch-SLE15-SP5_Update_9-1-150500.11.5.1, kernel-syms-5.14.21-150500.55.44.1, kernel-source-5.14.21-150500.55.44.1, kernel-default-base-5.14.21-150500.55.44.1.150500.6.19.2, kernel-obs-qa-5.14.21-150500.55.44.1
SUSE Linux Enterprise Micro 5.5 (src): kernel-default-base-5.14.21-150500.55.44.1.150500.6.19.2
Basesystem Module 15-SP5 (src): kernel-default-base-5.14.21-150500.55.44.1.150500.6.19.2, kernel-source-5.14.21-150500.55.44.1
Development Tools Module 15-SP5 (src): kernel-source-5.14.21-150500.55.44.1, kernel-obs-build-5.14.21-150500.55.44.1, kernel-syms-5.14.21-150500.55.44.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_9-1-150500.11.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Maintenance Automation 2024-01-18 20:30:28 UTC

SUSE-SU-2024:0156-1: An update that solves 10 vulnerabilities, contains three features and has 31 security fixes can now be installed.

Category: security (important)
Bug References: 1179610, 1183045, 1193285, 1211162, 1211226, 1212584, 1214747, 1214823, 1215237, 1215696, 1215885, 1216057, 1216559, 1216776, 1217036, 1217217, 1217250, 1217602, 1217692, 1217790, 1217801, 1217933, 1217938, 1217946, 1217947, 1217980, 1217981, 1217982, 1218056, 1218139, 1218184, 1218234, 1218253, 1218258, 1218335, 1218357, 1218447, 1218515, 1218559, 1218569, 1218659
CVE References: CVE-2020-26555, CVE-2023-51779, CVE-2023-6121, CVE-2023-6531, CVE-2023-6546, CVE-2023-6606, CVE-2023-6610, CVE-2023-6622, CVE-2023-6931, CVE-2023-6932
Jira References: PED-3459, PED-5021, PED-7322
Sources used:
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1
SUSE Linux Enterprise Real Time 15 SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1
SUSE Manager Proxy 4.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1
SUSE Manager Retail Branch Server 4.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1
SUSE Manager Server 4.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1
openSUSE Leap 15.4 (src): kernel-obs-qa-5.14.21-150400.24.103.1, kernel-source-5.14.21-150400.24.103.1, kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-livepatch-SLE15-SP4_Update_22-1-150400.9.3.1, kernel-syms-5.14.21-150400.24.103.1
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_22-1-150400.9.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): kernel-obs-build-5.14.21-150400.24.103.1, kernel-default-base-5.14.21-150400.24.103.1.150400.24.48.1, kernel-source-5.14.21-150400.24.103.1, kernel-syms-5.14.21-150400.24.103.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Karasulli 2024-02-06 07:47:06 UTC

(In reply to Joey Lee from comment #3)
> (In reply to Joey Lee from comment #2)
> > (In reply to Joey Lee from comment #1)
> [...snip]
> > > 
> > > commit 3c4f8333b582487a2d1e02171f1465531cde53e3         [v6.5-rc7]
> > > Author: Yi Yang <yiyang13@huawei.com>
> > > Date:   Fri Aug 11 11:11:21 2023 +0800
> > > 
> > >     tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
> > > ...
> > >     Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000
> > >     Cc: stable <stable@kernel.org>
> > >     Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux")          
> > > [v6.5-rc4]
> > >     Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")
> > > [v5.18-rc5]
> > >     Signed-off-by: Yi Yang <yiyang13@huawei.com>
> > 
> > 15-SP6  v6.4    [affect]
> > 15-SP5  v5.14   [update references, sent]
> > 15-SP4  v5.14   [update references, sent]
> > 15-SP3  v5.3    [not affect]
> 
> Update status:
> 
> 15-SP6  v6.4    [update references, sent]
> 15-SP5  v5.14   [update references, sent]
> 15-SP4  v5.14   [update references, sent]
> 15-SP3  v5.3    [not affect]

Hi Joey,  Is there anything more to be done here. If not, please assign the issue back to the security team.  Thanks!

Comment 29 Joey Lee 2024-02-15 15:03:26 UTC

(In reply to Joey Lee from comment #3)
> (In reply to Joey Lee from comment #2)
> > (In reply to Joey Lee from comment #1)
> [...snip]
> > > 
> > > commit 3c4f8333b582487a2d1e02171f1465531cde53e3         [v6.5-rc7]
> > > Author: Yi Yang <yiyang13@huawei.com>
> > > Date:   Fri Aug 11 11:11:21 2023 +0800
> > > 
> > >     tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
> > > ...
> > >     Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000
> > >     Cc: stable <stable@kernel.org>
> > >     Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux")          
> > > [v6.5-rc4]
> > >     Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command")
> > > [v5.18-rc5]
> > >     Signed-off-by: Yi Yang <yiyang13@huawei.com>
> > 
> > 15-SP6  v6.4    [affect]
> > 15-SP5  v5.14   [update references, sent]
> > 15-SP4  v5.14   [update references, sent]
> > 15-SP3  v5.3    [not affect]
> 
> Update status:
> 
> 15-SP6  v6.4    [update references, sent]
> 15-SP5  v5.14   [update references, sent]
> 15-SP4  v5.14   [update references, sent]
> 15-SP3  v5.3    [not affect]

Update status:

15-SP6  v6.4    [merged]
15-SP5  v5.14   [merged]
15-SP4  v5.14   [merged]
15-SP3  v5.3    [not affect]

Reset assginer.

Comment 31 Andrea Mattiazzo 2024-05-17 08:00:46 UTC

All done, closing.