cve/published/2023/CVE-2023-52840.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52840: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

 The put_device() calls rmi_release_function() which frees "fn" so the
 dereference on the next line "fn->num_of_irqs" is a use after free.
 Move the put_device() to the end to fix this.

 The Linux kernel CVE team has assigned CVE-2023-52840 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 4.19.299 with commit 2f236d8638f5b43e0c72919a6a27fe286c32053f
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.4.261 with commit 50d12253666195a14c6cd2b81c376e2dbeedbdff
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.10.201 with commit 6c71e065befb2fae8f1461559b940c04e1071bd5
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.15.139 with commit 303766bb92c5c225cf40f9bbbe7e29749406e2f2
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.1.63 with commit 7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.5.12 with commit cc56c4d17721dcb10ad4e9c9266e449be1462683
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.6.2 with commit c8e639f5743cf4b01f8c65e0df075fe4d782b585
 	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.7 with commit eb988e46da2e4eae89f5337e047ce372fe33d5b1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52840
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/input/rmi4/rmi_bus.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f
 	https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff
 	https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5
 	https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2
 	https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f
 	https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683
 	https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585
 	https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52840: Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

	The put_device() calls rmi_release_function() which frees "fn" so the
	dereference on the next line "fn->num_of_irqs" is a use after free.
	Move the put_device() to the end to fix this.

	The Linux kernel CVE team has assigned CVE-2023-52840 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 4.19.299 with commit 2f236d8638f5b43e0c72919a6a27fe286c32053f
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.4.261 with commit 50d12253666195a14c6cd2b81c376e2dbeedbdff
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.10.201 with commit 6c71e065befb2fae8f1461559b940c04e1071bd5
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 5.15.139 with commit 303766bb92c5c225cf40f9bbbe7e29749406e2f2
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.1.63 with commit 7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.5.12 with commit cc56c4d17721dcb10ad4e9c9266e449be1462683
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.6.2 with commit c8e639f5743cf4b01f8c65e0df075fe4d782b585
	Issue introduced in 4.18 with commit 24d28e4f1271cb2f91613dada8f2acccd00eff56 and fixed in 6.7 with commit eb988e46da2e4eae89f5337e047ce372fe33d5b1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52840
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/input/rmi4/rmi_bus.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2f236d8638f5b43e0c72919a6a27fe286c32053f
	https://git.kernel.org/stable/c/50d12253666195a14c6cd2b81c376e2dbeedbdff
	https://git.kernel.org/stable/c/6c71e065befb2fae8f1461559b940c04e1071bd5
	https://git.kernel.org/stable/c/303766bb92c5c225cf40f9bbbe7e29749406e2f2
	https://git.kernel.org/stable/c/7082b1fb5321037bc11ba1cf2d7ed23c6b2b521f
	https://git.kernel.org/stable/c/cc56c4d17721dcb10ad4e9c9266e449be1462683
	https://git.kernel.org/stable/c/c8e639f5743cf4b01f8c65e0df075fe4d782b585
	https://git.kernel.org/stable/c/eb988e46da2e4eae89f5337e047ce372fe33d5b1