A race condition was found in the GSM 0710 tty multiplexor (drivers/tty/n_gsm.c) in the Linux kernel. The flaw occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled and leads to a use-after-free on a struct gsm_dlci while restarting the gsm mux. A local unprivileged user could use this vulnerability to escalate their privileges on the system. ZDI Security Advisory: https://www.zerodayinitiative.com/advisories/ZDI-CAN-20527 Upstream fix: https://github.com/torvalds/linux/commit/3c4f8333b582487a2d1e02171f1465531cde53e3
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2255517]
This was fixed for Fedora with the 6.4.12 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0937 https://access.redhat.com/errata/RHSA-2024:0937
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1055 https://access.redhat.com/errata/RHSA-2024:1055
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1253 https://access.redhat.com/errata/RHSA-2024:1253
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1612 https://access.redhat.com/errata/RHSA-2024:1612
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2621 https://access.redhat.com/errata/RHSA-2024:2621
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2697 https://access.redhat.com/errata/RHSA-2024:2697