{"id":"CVE-2023-52439","summary":"uio: Fix use-after-free in uio_open","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nuio: Fix use-after-free in uio_open\n\ncore-1\t\t\t\tcore-2\n-------------------------------------------------------\nuio_unregister_device\t\tuio_open\n\t\t\t\tidev = idr_find()\ndevice_unregister(&idev-\u003edev)\nput_device(&idev-\u003edev)\nuio_device_release\n\t\t\t\tget_device(&idev-\u003edev)\nkfree(idev)\nuio_free_minor(minor)\n\t\t\t\tuio_release\n\t\t\t\tput_device(&idev-\u003edev)\n\t\t\t\tkfree(idev)\n-------------------------------------------------------\n\nIn the core-1 uio_unregister_device(), the device_unregister will kfree\nidev when the idev-\u003edev kobject ref is 1. But after core-1\ndevice_unregister, put_device and before doing kfree, the core-2 may\nget_device. Then:\n1. After core-1 kfree idev, the core-2 will do use-after-free for idev.\n2. When core-2 do uio_release and put_device, the idev will be double\n   freed.\n\nTo address this issue, we can get idev atomic & inc idev reference with\nminor_lock.","modified":"2026-04-02T09:42:44.370340Z","published":"2024-02-20T18:34:49.323Z","related":["ALSA-2024:3618","ALSA-2024:6997","SUSE-SU-2024:0855-1","SUSE-SU-2024:0856-1","SUSE-SU-2024:0857-1","SUSE-SU-2024:0858-1","SUSE-SU-2024:0900-1","SUSE-SU-2024:0900-2","SUSE-SU-2024:0910-1","SUSE-SU-2024:0926-1","SUSE-SU-2024:0977-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52439.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570"},{"type":"WEB","url":"https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52439.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52439"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241227-0006/"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"57c5f4df0a5a0ee83df799991251e2ee93a5e4e9"},{"fixed":"3174e0f7de1ba392dc191625da83df02d695b60c"},{"fixed":"e93da893d52d82d57fc0db2ca566024e0f26ff50"},{"fixed":"5e0be1229ae199ebb90b33102f74a0f22d152570"},{"fixed":"5cf604ee538ed0c467abe3b4cda5308a6398f0f7"},{"fixed":"17a8519cb359c3b483fb5c7367efa9a8a508bdea"},{"fixed":"35f102607054faafe78d2a6994b18d5d9d6e92ad"},{"fixed":"913205930da6213305616ac539447702eaa85e41"},{"fixed":"0c9ae0b8605078eafc3bea053cc78791e97ba2e2"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"13af019c87f2d90e663742cb1a819834048842ae"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52439.json"}}],"schema_version":"1.7.5"}