Bug 2363712 (CVE-2023-53106) - CVE-2023-53106 kernel: nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
Summary: CVE-2023-53106 kernel: nfc: st-nci: Fix use after free bug in ndlc_remove due...
Keywords:
Status: NEW
Alias: CVE-2023-53106
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-02 16:02 UTC by OSIDB Bzimport
Modified: 2025-05-05 07:09 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-02 16:02:49 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition

This bug influences both st_nci_i2c_remove and st_nci_spi_remove.
Take st_nci_i2c_remove as an example.

In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work
with llt_ndlc_sm_work.

When it calls ndlc_recv or timeout handler, it will finally call
schedule_work to start the work.

When we call st_nci_i2c_remove to remove the driver, there
may be a sequence as follows:

Fix it by finishing the work before cleanup in ndlc_remove

CPU0                  CPU1

                    |llt_ndlc_sm_work
st_nci_i2c_remove   |
  ndlc_remove       |
     st_nci_remove  |
     nci_free_device|
     kfree(ndev)    |
//free ndlc->ndev   |
                    |llt_ndlc_rcv_queue
                    |nci_recv_frame
                    |//use ndlc->ndev
Comment 1 Avinash Hanwate 2025-05-05 06:56:27 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050226-CVE-2023-53106-e1a5@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.