Bug 2248755 (CVE-2023-6039) - CVE-2023-6039 kernel: use-after-free in drivers/net/usb/lan78xx.c in lan78xx_disconnect
Summary: CVE-2023-6039 kernel: use-after-free in drivers/net/usb/lan78xx.c in lan78xx_...
Keywords:
Status: NEW
Alias: CVE-2023-6039
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2248754
TreeView+ depends on / blocked
 
Reported: 2023-11-08 19:12 UTC by Rohit Keshri
Modified: 2023-11-09 15:04 UTC (History)
44 users (show)

Fixed In Version: Kernel 6.5-rc5
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-11-08 19:12:02 UTC 
There are use-after-free vulnerabilities in drivers/net/usb/lan78xx.c of 
linux that allow attacker to crash linux kernel when LAN78XX USB device 
is detaching.

The timer dev->stat_monitor can schedule the delayed work dev->wq and
the delayed work dev->wq can also arm the dev->stat_monitor timer.

When the device is detaching, the net_device will be deallocated. But
the net_device private data could still be dereferenced in delayed work
or timer handler. As a result, the UAF bugs will happen.

Refer:
https://github.com/torvalds/linux/commit/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3
Note You need to log in before you can comment on or make changes to this bug.