CVE-2023-5178

A use-after-free vulnerability was found in drivers/nvme/target/tcp.cinnvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.

Weakness

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

Affected Software

Extended Description

Code typically requires “opening” handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to “close” or “release” the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. If the developer attempts to release the same resource/handle more than once, then the API’s expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged.

Potential Mitigations

References

• https://access.redhat.com/errata/RHSA-2023:7370
• https://access.redhat.com/errata/RHSA-2023:7379
• https://access.redhat.com/errata/RHSA-2023:7418
• https://access.redhat.com/errata/RHSA-2023:7548
• https://access.redhat.com/errata/RHSA-2023:7549
• https://access.redhat.com/errata/RHSA-2023:7551
• https://access.redhat.com/errata/RHSA-2023:7554
• https://access.redhat.com/errata/RHSA-2023:7557
• https://access.redhat.com/errata/RHSA-2023:7559
• https://access.redhat.com/errata/RHSA-2024:0340
• https://access.redhat.com/errata/RHSA-2024:0378
• https://access.redhat.com/errata/RHSA-2024:0386
• https://access.redhat.com/errata/RHSA-2024:0412
• https://access.redhat.com/errata/RHSA-2024:0431
• https://access.redhat.com/errata/RHSA-2024:0432
• https://access.redhat.com/errata/RHSA-2024:0461
• https://access.redhat.com/errata/RHSA-2024:0554
• https://access.redhat.com/errata/RHSA-2024:0575
• https://access.redhat.com/errata/RHSA-2024:1268
• https://access.redhat.com/errata/RHSA-2024:1269
• https://access.redhat.com/errata/RHSA-2024:1278
• https://access.redhat.com/security/cve/CVE-2023-5178
• https://bugzilla.redhat.com/show_bug.cgi?id=2241924
• https://lore.kernel.org/linux-nvme/20231002105428.226515-1-sagi@grimberg.me/
• https://access.redhat.com/errata/RHSA-2023:7370
• https://access.redhat.com/errata/RHSA-2023:7379
• https://access.redhat.com/errata/RHSA-2023:7418
• https://access.redhat.com/errata/RHSA-2023:7548
• https://access.redhat.com/errata/RHSA-2023:7549
• https://access.redhat.com/errata/RHSA-2023:7551
• https://access.redhat.com/errata/RHSA-2023:7554
• https://access.redhat.com/errata/RHSA-2023:7557
• https://access.redhat.com/errata/RHSA-2023:7559
• https://access.redhat.com/errata/RHSA-2024:0340
• https://access.redhat.com/errata/RHSA-2024:0378
• https://access.redhat.com/errata/RHSA-2024:0386
• https://access.redhat.com/errata/RHSA-2024:0412
• https://access.redhat.com/errata/RHSA-2024:0431
• https://access.redhat.com/errata/RHSA-2024:0432
• https://access.redhat.com/errata/RHSA-2024:0461
• https://access.redhat.com/errata/RHSA-2024:0554
• https://access.redhat.com/errata/RHSA-2024:0575
• https://access.redhat.com/errata/RHSA-2024:1268
• https://access.redhat.com/errata/RHSA-2024:1269
• https://access.redhat.com/errata/RHSA-2024:1278
• https://access.redhat.com/security/cve/CVE-2023-5178
• https://bugzilla.redhat.com/show_bug.cgi?id=2241924
• https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html
• https://lore.kernel.org/linux-nvme/20231002105428.226515-1-sagi@grimberg.me/
• https://security.netapp.com/advisory/ntap-20231208-0004/