CVE-2023-52989

In the Linux kernel, the following vulnerability has been resolved: firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region This patch is fix for Linux kernel v2.6.33 or later. For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem have had an issue of use-after-free. The subsystem allows multiple user space listeners to the region, while data of the payload was likely released before the listeners execute read(2) to access to it for copying to user space. The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler"). The object of payload is duplicated in kernel space for each listener. When the listener executes ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to be released. However, it causes memory leak since the commit relies on call of release_request() in drivers/firewire/core-cdev.c. Against the expectation, the function is never called due to the design of release_client_resource(). The function delegates release task to caller when called with non-NULL fourth argument. The implementation of ioctl_send_response() is the case. It should release the object explicitly. This commit fixes the bug.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103	Patch
https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d	Patch
https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253	Patch
https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e	Patch
https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db	Patch
https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616	Patch
https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc6::::::

History

15 Apr 2025, 14:31

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-401
First Time		Linux linux Kernel Linux
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.2:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc6::::::
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firewire: corrección de fuga de memoria para el payload de la subacción de solicitud a la región FCP IEC 61883-1. Este parche es una corrección para el kernel de Linux v2.6.33 o posterior. Para la subacción de solicitud a la región FCP IEC 61883-1, el subsistema FireWire de Linux ha tenido un problema de use-after-free. El subsistema permite que varios oyentes del espacio de usuario accedan a la región, mientras que los datos de el payload probablemente se liberaron antes de que los oyentes ejecutaran read(2) para acceder a ellos para copiarlos al espacio de usuario. El problema se solucionó mediante un commit 281e20323ab7 ("firewire: core: corrección de la regresión de use-after-free en el controlador FCP"). El objeto de el payload se duplica en el espacio del kernel para cada oyente. Cuando el oyente ejecuta ioctl(2) con la solicitud FW_CDEV_IOC_SEND_RESPONSE, el objeto se liberará. Sin embargo, esto causa una fuga de memoria, ya que el commit depende de la llamada a release_request() en drivers/firewire/core-cdev.c. Contrariamente a lo esperado, la función nunca se llama debido al diseño de release_client_resource(). La función delega la tarea de liberación al llamador cuando se llama con un cuarto argumento distinto de NULL. La implementación de ioctl_send_response() es la correcta. Debería liberar el objeto explícitamente. Esta confirmación corrige el error.
References	~~() https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103 -~~	() https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103 - Patch
References	~~() https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d -~~	() https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d - Patch
References	~~() https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253 -~~	() https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253 - Patch
References	~~() https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e -~~	() https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e - Patch
References	~~() https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db -~~	() https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db - Patch
References	~~() https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616 -~~	() https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616 - Patch
References	~~() https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee -~~	() https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee - Patch

27 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-27 17:15

Updated : 2025-04-15 14:31

NVD link : CVE-2023-52989

Mitre link : CVE-2023-52989

CVE.ORG link : CVE-2023-52989

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2023-52989", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-03-27T17:15:46.293", "references": [{"url": "https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firewire: correcci\u00f3n de fuga de memoria para el payload de la subacci\u00f3n de solicitud a la regi\u00f3n FCP IEC 61883-1. Este parche es una correcci\u00f3n para el kernel de Linux v2.6.33 o posterior. Para la subacci\u00f3n de solicitud a la regi\u00f3n FCP IEC 61883-1, el subsistema FireWire de Linux ha tenido un problema de use-after-free. El subsistema permite que varios oyentes del espacio de usuario accedan a la regi\u00f3n, mientras que los datos de el payload probablemente se liberaron antes de que los oyentes ejecutaran read(2) para acceder a ellos para copiarlos al espacio de usuario. El problema se solucion\u00f3 mediante un commit 281e20323ab7 (\"firewire: core: correcci\u00f3n de la regresi\u00f3n de use-after-free en el controlador FCP\"). El objeto de el payload se duplica en el espacio del kernel para cada oyente. Cuando el oyente ejecuta ioctl(2) con la solicitud FW_CDEV_IOC_SEND_RESPONSE, el objeto se liberar\u00e1. Sin embargo, esto causa una fuga de memoria, ya que el commit depende de la llamada a release_request() en drivers/firewire/core-cdev.c. Contrariamente a lo esperado, la funci\u00f3n nunca se llama debido al dise\u00f1o de release_client_resource(). La funci\u00f3n delega la tarea de liberaci\u00f3n al llamador cuando se llama con un cuarto argumento distinto de NULL. La implementaci\u00f3n de ioctl_send_response() es la correcta. Deber\u00eda liberar el objeto expl\u00edcitamente. Esta confirmaci\u00f3n corrige el error."}], "lastModified": "2025-04-15T14:31:57.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB481E70-4E92-4A19-88FC-7A6923121461", "versionEndExcluding": "4.14.306", "versionStartIncluding": "2.6.33"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC86F278-A337-4A8A-A7BB-758898345802", "versionEndExcluding": "4.19.273", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C6E0696-3702-4B0C-A102-2753BDC8C3D3", "versionEndExcluding": "5.4.232", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12258A3F-04BD-49C9-9C6B-D3C1945E8910", "versionEndExcluding": "5.10.168", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98FAC10E-42A0-4372-B1A0-A49CF672890E", "versionEndExcluding": "5.15.93", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "535D03F4-DA02-49FE-934E-668827E6407B", "versionEndExcluding": "6.1.11", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

5.5 /10