We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-53023

net: nfc: Fix use-after-free in local_cleanup()



Description

In the Linux kernel, the following vulnerability has been resolved: net: nfc: Fix use-after-free in local_cleanup() Fix a use-after-free that occurs in kfree_skb() called from local_cleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device. When detaching an nfc device, local_cleanup() called from nfc_llcp_unregister_device() frees local->rx_pending and decreases local->ref by kref_put() in nfc_llcp_local_put(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, local_cleanup() called from local_release() frees local->rx_pending again, which leads to the bug. Setting local->rx_pending to NULL in local_cleanup() could prevent use-after-free when local_cleanup() is called twice. Found by a modified version of syzkaller. BUG: KASAN: use-after-free in kfree_skb() Call Trace: dump_stack_lvl (lib/dump_stack.c:106) print_address_description.constprop.0.cold (mm/kasan/report.c:306) kasan_check_range (mm/kasan/generic.c:189) kfree_skb (net/core/skbuff.c:955) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) nfc_llcp_local_put (net/nfc/llcp_core.c:181) llcp_sock_destruct (net/nfc/llcp_sock.c:959) __sk_destruct (net/core/sock.c:2133) sk_destruct (net/core/sock.c:2181) __sk_free (net/core/sock.c:2192) sk_free (net/core/sock.c:2203) llcp_sock_release (net/nfc/llcp_sock.c:646) __sock_release (net/socket.c:650) sock_close (net/socket.c:1365) __fput (fs/file_table.c:306) task_work_run (kernel/task_work.c:179) ptrace_notify (kernel/signal.c:2354) syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) syscall_exit_to_user_mode (kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:86) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) Allocated by task 4719: kasan_save_stack (mm/kasan/common.c:45) __kasan_slab_alloc (mm/kasan/common.c:325) slab_post_alloc_hook (mm/slab.h:766) kmem_cache_alloc_node (mm/slub.c:3497) __alloc_skb (net/core/skbuff.c:552) pn533_recv_response (drivers/nfc/pn533/usb.c:65) __usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) tasklet_action_common.isra.0 (kernel/softirq.c:797) __do_softirq (kernel/softirq.c:571) Freed by task 1901: kasan_save_stack (mm/kasan/common.c:45) kasan_set_track (mm/kasan/common.c:52) kasan_save_free_info (mm/kasan/genericdd.c:518) __kasan_slab_free (mm/kasan/common.c:236) kmem_cache_free (mm/slub.c:3809) kfree_skbmem (net/core/skbuff.c:874) kfree_skb (net/core/skbuff.c:931) local_cleanup (net/nfc/llcp_core.c:159) nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) nfc_unregister_device (net/nfc/core.c:1179) pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) usb_unbind_interface (drivers/usb/core/driver.c:458) device_release_driver_internal (drivers/base/dd.c:1279) bus_remove_device (drivers/base/bus.c:529) device_del (drivers/base/core.c:3665) usb_disable_device (drivers/usb/core/message.c:1420) usb_disconnect (drivers/usb/core.c:2261) hub_event (drivers/usb/core/hub.c:5833) process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) ret_from_fork (arch/x86/entry/entry_64.S:301)

Reserved 2025-03-27 | Published 2025-03-27 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before b09ae26f08aaf2d85f96ea7f90ddd3387f62216f
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before 54f7be61584b8ec4c6df405f479495b9397bae4a
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before a59cdbda3714e11aa3ab579132864c4c8c6d54f9
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before ad1baab3a5c03692d22ce446f38596a126377f6a
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before 7f129927feaf7c10b1c38bbce630172e9a08c834
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before d3605282ec3502ec8847915eb2cf1f340493ff79
affected

3536da06db0baa675f32de608c0a4c0f5ef0e9ff before 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6
affected

Default status
affected

3.9
affected

Any version before 3.9
unaffected

4.14.305
unaffected

4.19.272
unaffected

5.4.231
unaffected

5.10.166
unaffected

5.15.91
unaffected

6.1.9
unaffected

6.2
unaffected

References

git.kernel.org/...c/b09ae26f08aaf2d85f96ea7f90ddd3387f62216f

git.kernel.org/...c/54f7be61584b8ec4c6df405f479495b9397bae4a

git.kernel.org/...c/a59cdbda3714e11aa3ab579132864c4c8c6d54f9

git.kernel.org/...c/ad1baab3a5c03692d22ce446f38596a126377f6a

git.kernel.org/...c/7f129927feaf7c10b1c38bbce630172e9a08c834

git.kernel.org/...c/d3605282ec3502ec8847915eb2cf1f340493ff79

git.kernel.org/...c/4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6

cve.org (CVE-2023-53023)

nvd.nist.gov (CVE-2023-53023)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-53023

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.