cve/published/2023/CVE-2023-52989.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/firewire/core-cdev.c"
                ],
                "versions": [
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "b2cd3947d116bb9ba7ff097b5fc747a8956764db",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "356ff89acdbe6a66019154bc7eb2d300f5b15103",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "53785fd9b315583cf029e39f72b73d23704a2253",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "c8bdc88216f09cb7387fedbdf613524367328616",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "281e20323ab72180137824a298ee9e21e6f9acf6",
                      "lessThan": "531390a243ef47448f8bad01c186c2787666bf4d",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/firewire/core-cdev.c"
                ],
                "versions": [
                   {
                      "version": "2.6.33",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "2.6.33",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.14.306",
                      "lessThanOrEqual": "4.14.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.19.273",
                      "lessThanOrEqual": "4.19.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.4.232",
                      "lessThanOrEqual": "5.4.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.10.168",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.93",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.1.11",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.2",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "4.14.306"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "4.19.273"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "5.4.232"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "5.10.168"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "5.15.93"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "6.1.11"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.33",
                            "versionEndExcluding": "6.2"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db"
             },
             {
                "url": "https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103"
             },
             {
                "url": "https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253"
             },
             {
                "url": "https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee"
             },
             {
                "url": "https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e"
             },
             {
                "url": "https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616"
             },
             {
                "url": "https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d"
             }
          ],
          "title": "firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2023-52989",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/firewire/core-cdev.c"
	],
	"versions": [
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "b2cd3947d116bb9ba7ff097b5fc747a8956764db",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "356ff89acdbe6a66019154bc7eb2d300f5b15103",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "53785fd9b315583cf029e39f72b73d23704a2253",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "c8bdc88216f09cb7387fedbdf613524367328616",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
	"lessThan": "531390a243ef47448f8bad01c186c2787666bf4d",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/firewire/core-cdev.c"
	],
	"versions": [
	{
	"version": "2.6.33",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "2.6.33",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.14.306",
	"lessThanOrEqual": "4.14.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.19.273",
	"lessThanOrEqual": "4.19.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.4.232",
	"lessThanOrEqual": "5.4.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.10.168",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.93",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.1.11",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.2",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "4.14.306"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "4.19.273"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "5.4.232"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "5.10.168"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "5.15.93"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "6.1.11"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.33",
	"versionEndExcluding": "6.2"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db"
	},
	{
	"url": "https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103"
	},
	{
	"url": "https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253"
	},
	{
	"url": "https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee"
	},
	{
	"url": "https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e"
	},
	{
	"url": "https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616"
	},
	{
	"url": "https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d"
	}
	],
	"title": "firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2023-52989",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}