GHSA-8GP2-JJMR-PF9F
Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-09 03:31In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: fix UAF in gsm_cleanup_mux
In gsm_cleanup_mux() the 'gsm->dlci' pointer was not cleaned properly, leaving it a dangling pointer after gsm_dlci_release. This leads to use-after-free where 'gsm->dlci[0]' are freed and accessed by the subsequent gsm_cleanup_mux().
Such is the case in the following call trace:
__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description+0x63/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x16b/0x1c0 mm/kasan/report.c:451 gsm_cleanup_mux+0x76a/0x850 drivers/tty/n_gsm.c:2397 gsm_config drivers/tty/n_gsm.c:2653 [inline] gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb
Allocated by task 3501: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] _kasankmalloc+0xba/0xf0 mm/kasan/common.c:513 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] gsm_dlci_alloc+0x53/0x3a0 drivers/tty/n_gsm.c:1932 gsm_activate_mux+0x1c/0x330 drivers/tty/n_gsm.c:2438 gsm_config drivers/tty/n_gsm.c:2677 [inline] gsmld_ioctl+0xd46/0x15b0 drivers/tty/n_gsm.c:2986 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 vfs_ioctl fs/ioctl.c:51 [inline] do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 3501: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x80 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 _kasanslab_free+0xd8/0x120 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0xf1/0x270 mm/slub.c:4559 dlci_put drivers/tty/n_gsm.c:1988 [inline] gsm_dlci_release drivers/tty/n_gsm.c:2021 [inline] gsm_cleanup_mux+0x574/0x850 drivers/tty/n_gsm.c:2415 gsm_config drivers/tty/n_gsm.c:2653 [inline] gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986 tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816 vfs_ioctl fs/ioctl.c:51 [inline] do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb
{
"affected": [],
"aliases": [
"CVE-2023-53805"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T01:16:52Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: fix UAF in gsm_cleanup_mux\n\nIn gsm_cleanup_mux() the \u0027gsm-\u003edlci\u0027 pointer was not cleaned properly,\nleaving it a dangling pointer after gsm_dlci_release.\nThis leads to use-after-free where \u0027gsm-\u003edlci[0]\u0027 are freed and accessed\nby the subsequent gsm_cleanup_mux().\n\nSuch is the case in the following call trace:\n\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106\n print_address_description+0x63/0x3b0 mm/kasan/report.c:248\n __kasan_report mm/kasan/report.c:434 [inline]\n kasan_report+0x16b/0x1c0 mm/kasan/report.c:451\n gsm_cleanup_mux+0x76a/0x850 drivers/tty/n_gsm.c:2397\n gsm_config drivers/tty/n_gsm.c:2653 [inline]\n gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986\n tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\n \u003c/TASK\u003e\n\nAllocated by task 3501:\n kasan_save_stack mm/kasan/common.c:38 [inline]\n kasan_set_track mm/kasan/common.c:46 [inline]\n set_alloc_info mm/kasan/common.c:434 [inline]\n ____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513\n kasan_kmalloc include/linux/kasan.h:264 [inline]\n kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247\n kmalloc include/linux/slab.h:591 [inline]\n kzalloc include/linux/slab.h:721 [inline]\n gsm_dlci_alloc+0x53/0x3a0 drivers/tty/n_gsm.c:1932\n gsm_activate_mux+0x1c/0x330 drivers/tty/n_gsm.c:2438\n gsm_config drivers/tty/n_gsm.c:2677 [inline]\n gsmld_ioctl+0xd46/0x15b0 drivers/tty/n_gsm.c:2986\n tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\n\nFreed by task 3501:\n kasan_save_stack mm/kasan/common.c:38 [inline]\n kasan_set_track+0x4b/0x80 mm/kasan/common.c:46\n kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360\n ____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366\n kasan_slab_free include/linux/kasan.h:230 [inline]\n slab_free_hook mm/slub.c:1705 [inline]\n slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731\n slab_free mm/slub.c:3499 [inline]\n kfree+0xf1/0x270 mm/slub.c:4559\n dlci_put drivers/tty/n_gsm.c:1988 [inline]\n gsm_dlci_release drivers/tty/n_gsm.c:2021 [inline]\n gsm_cleanup_mux+0x574/0x850 drivers/tty/n_gsm.c:2415\n gsm_config drivers/tty/n_gsm.c:2653 [inline]\n gsmld_ioctl+0xaae/0x15b0 drivers/tty/n_gsm.c:2986\n tty_ioctl+0x8ff/0xc50 drivers/tty/tty_io.c:2816\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:874 [inline]\n __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x61/0xcb",
"id": "GHSA-8gp2-jjmr-pf9f",
"modified": "2025-12-09T03:31:11Z",
"published": "2025-12-09T03:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53805"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5138c228311a863c3cf937b94a3ab4c87f1f70c4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74a8d6f50cc90ed0061997db51dfa81a62b0f835"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fc0eabaa73bbd9bd705577071564616da5c8c61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9615ca54bc138e35353a001e8b5d4824dce72188"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b9c8195f3f0d74a826077fc1c01b9ee74907239"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.