Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-52638

Disclosure Date: April 03, 2024 •

CVE-2023-52638 CVSS v3 Base Score: 5.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock

The following 3 locks would race against each other, causing the
deadlock situation in the Syzbot bug report:

j1939_socks_lock
active_session_list_lock
sk_session_queue_lock

A reasonable fix is to change j1939_socks_lock to an rwlock, since in
the rare situations where a write lock is required for the linked list
that j1939_socks_lock is protecting, the code does not attempt to
acquire any more locks. This would break the circular lock dependency,
where, for example, the current thread already locks j1939_socks_lock
and attempts to acquire sk_session_queue_lock, and at the same time,
another thread attempts to acquire j1939_socks_lock while holding
sk_session_queue_lock.

NOTE: This patch along does not fix the unregister_netdevice bug
reported by Syzbot; instead, it solves a deadlock situation to prepare
for one or more further patches to actually fix the Syzbot bug, which
appears to be a reference counting problem within the j1939 codebase.

[mkl: remove unrelated newline change]

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

linux

Products

linux kernel,
linux kernel 6.8

References

Canonical

CVE-2023-52638 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52638)

Miscellaneous

https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170

https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf

https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e

https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284

https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d

Rapid7

Unknown

CVE-2023-52638

Unknown

Unknown

None

Low

Local

CVE-2023-52638

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-52638

Unknown

Unknown

None

Low

Local

CVE-2023-52638

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification