{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-29T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux",
    "id" : "2322312",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2322312"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ntty: n_gsm: Fix use-after-free in gsm_cleanup_mux\nBUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0\ndrivers/tty/n_gsm.c:3160 [n_gsm]\nRead of size 8 at addr ffff88815fe99c00 by task poc/3379\nCPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56\nHardware name: VMware, Inc. VMware Virtual Platform/440BX\nDesktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n<TASK>\ngsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]\n__pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]\n__pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389\nupdate_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500\n__pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846\n__rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161\ngsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]\n_raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107\n__pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]\nktime_get+0x5e/0x140 kernel/time/timekeeping.c:195\nldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79\n__pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338\n__pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805\ntty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818\nAllocated by task 65:\ngsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]\ngsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]\ngsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]\ngsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]\ntty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391\ntty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39\nflush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445\nprocess_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229\nworker_thread+0x3dc/0x950 kernel/workqueue.c:3391\nkthread+0x2a3/0x370 kernel/kthread.c:389\nret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257\nFreed by task 3367:\nkfree+0x126/0x420 mm/slub.c:4580\ngsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]\ngsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]\ntty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818\n[Analysis]\ngsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux\ncan be freed by multi threads through ioctl,which leads\nto the occurrence of uaf. Protect it by gsm tx lock.", "A user after free vulnerability exists in the linux kernel such that when gsm_cleanup_mux is called,the gsm_msg on the tx_ctrl_list is not freed,resulting in loss of availability of the system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50073\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50073\nhttps://lore.kernel.org/linux-cve-announce/2024102935-CVE-2024-50073-307b@gregkh/T" ],
  "name" : "CVE-2024-50073",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}