Bug 2255498 (CVE-2023-6546, ZDI-CAN-20527)

Summary:	CVE-2023-6546 kernel: GSM multiplexing race condition leads to privilege escalation
Product:	[Other] Security Response	Reporter:	Mauro Matteo Cascella <mcascell>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mbenatto, mmilgram, mstowell, nmurray, pasik, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kernel 6.5-rc7	Doc Type:	If docs needed, set a value
Doc Text:	A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2255517
Bug Blocks:	2255503

Description Mauro Matteo Cascella 2023-12-21 10:58:33 UTC

A race condition was found in the GSM 0710 tty multiplexor (drivers/tty/n_gsm.c) in the Linux kernel. The flaw occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled and leads to a use-after-free on a struct gsm_dlci while restarting the gsm mux. A local unprivileged user could use this vulnerability to escalate their privileges on the system.

ZDI Security Advisory:
https://www.zerodayinitiative.com/advisories/ZDI-CAN-20527

Upstream fix:
https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3

Comment 9 Mauro Matteo Cascella 2023-12-21 13:52:32 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2255517]

Comment 10 Justin M. Forbes 2023-12-21 15:04:23 UTC

This was fixed for Fedora with the 6.4.12 stable kernel updates.

Comment 14 errata-xmlrpc 2024-02-21 00:27:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930

Comment 15 errata-xmlrpc 2024-02-22 03:10:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0937 https://access.redhat.com/errata/RHSA-2024:0937

Comment 17 errata-xmlrpc 2024-02-28 12:34:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019

Comment 18 errata-xmlrpc 2024-02-28 12:41:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018

Comment 19 errata-xmlrpc 2024-02-29 15:47:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1055 https://access.redhat.com/errata/RHSA-2024:1055

Comment 21 errata-xmlrpc 2024-03-12 00:44:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250

Comment 22 errata-xmlrpc 2024-03-12 01:01:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1253 https://access.redhat.com/errata/RHSA-2024:1253

Comment 24 errata-xmlrpc 2024-03-13 09:08:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306

Comment 25 errata-xmlrpc 2024-04-02 15:52:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1612 https://access.redhat.com/errata/RHSA-2024:1612

Comment 26 errata-xmlrpc 2024-04-02 15:55:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607

Comment 27 errata-xmlrpc 2024-04-02 17:21:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614

Comment 30 errata-xmlrpc 2024-04-30 10:14:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Comment 31 errata-xmlrpc 2024-04-30 16:59:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2621 https://access.redhat.com/errata/RHSA-2024:2621

Comment 32 errata-xmlrpc 2024-05-06 01:25:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2697 https://access.redhat.com/errata/RHSA-2024:2697