CVE-2023-53747 (GCVE-0-2023-53747)
Vulnerability from cvelistv5
Published
2025-12-08 01:19
Modified
2025-12-08 01:19
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_destruct(). Because of that, the struct vc_data pointer must be reloaded in the while loop in vcs_write() after console_lock() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 Call Trace: <TASK> __asan_report_load4_noabort (mm/kasan/report_generic.c:380) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_write (drivers/tty/vt/vc_screen.c:664) vfs_write (fs/read_write.c:582 fs/read_write.c:564) ... <TASK> Allocated by task 1213: kmalloc_trace (mm/slab_common.c:1064) vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) con_install (drivers/tty/vt/vt.c:3334) tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 drivers/tty/tty_io.c:1392) tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:921) vfs_open (fs/open.c:1052) ... Freed by task 4116: kfree (mm/slab_common.c:1016) vc_port_destruct (drivers/tty/vt/vt.c:1044) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2778) ... The buggy address belongs to the object at ffff8880beab8800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) The buggy address belongs to the physical page: page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbeab8 head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint
References
Impacted products
Vendor Product Version
Linux Linux Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vc_screen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "934de9a9b659785fed3e820bc0c813a460c71fea",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "0deff678157333d775af190f84696336cdcccd6d",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "a4e3c4c65ae8510e01352c9a4347e05c035b2ce2",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "11dddfbb7a4e62489b01074d6c04d9d1b42e4047",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "3338d0b9acde770ee588eead5cac32c25e7048fc",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "1de42e7653d6714a7507ba6696151a1fa028c69f",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            },
            {
              "lessThan": "8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357",
              "status": "affected",
              "version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/vt/vc_screen.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.327",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.284",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.244",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.327",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.284",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.244",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.181",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.113",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.30",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF\n\nAfter a call to console_unlock() in vcs_write() the vc_data struct can be\nfreed by vc_port_destruct(). Because of that, the struct vc_data pointer\nmust be reloaded in the while loop in vcs_write() after console_lock() to\navoid a UAF when vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119\n\nCall Trace:\n \u003cTASK\u003e\n__asan_report_load4_noabort (mm/kasan/report_generic.c:380)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_write (drivers/tty/vt/vc_screen.c:664)\nvfs_write (fs/read_write.c:582 fs/read_write.c:564)\n...\n \u003cTASK\u003e\n\nAllocated by task 1213:\nkmalloc_trace (mm/slab_common.c:1064)\nvc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680\n    drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)\ncon_install (drivers/tty/vt/vt.c:3334)\ntty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415\n    drivers/tty/tty_io.c:1392)\ntty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:921)\nvfs_open (fs/open.c:1052)\n...\n\nFreed by task 4116:\nkfree (mm/slab_common.c:1016)\nvc_port_destruct (drivers/tty/vt/vt.c:1044)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2778)\n...\n\nThe buggy address belongs to the object at ffff8880beab8800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)\n\nThe buggy address belongs to the physical page:\npage:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000\n    index:0x0 pfn:0xbeab8\nhead:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0\n    pincount:0\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: 0xffffffff()\nraw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                  ^\n ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T01:19:06.255Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea"
        },
        {
          "url": "https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2"
        },
        {
          "url": "https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67"
        },
        {
          "url": "https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357"
        }
      ],
      "title": "vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53747",
    "datePublished": "2025-12-08T01:19:06.255Z",
    "dateReserved": "2025-12-08T01:18:04.279Z",
    "dateUpdated": "2025-12-08T01:19:06.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-53747\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-08T02:15:50.057\",\"lastModified\":\"2025-12-08T18:26:19.900\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF\\n\\nAfter a call to console_unlock() in vcs_write() the vc_data struct can be\\nfreed by vc_port_destruct(). Because of that, the struct vc_data pointer\\nmust be reloaded in the while loop in vcs_write() after console_lock() to\\navoid a UAF when vcs_size() is called.\\n\\nSyzkaller reported a UAF in vcs_size().\\n\\nBUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\\nRead of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119\\n\\nCall Trace:\\n \u003cTASK\u003e\\n__asan_report_load4_noabort (mm/kasan/report_generic.c:380)\\nvcs_size (drivers/tty/vt/vc_screen.c:215)\\nvcs_write (drivers/tty/vt/vc_screen.c:664)\\nvfs_write (fs/read_write.c:582 fs/read_write.c:564)\\n...\\n \u003cTASK\u003e\\n\\nAllocated by task 1213:\\nkmalloc_trace (mm/slab_common.c:1064)\\nvc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680\\n    drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)\\ncon_install (drivers/tty/vt/vt.c:3334)\\ntty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415\\n    drivers/tty/tty_io.c:1392)\\ntty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)\\nchrdev_open (fs/char_dev.c:415)\\ndo_dentry_open (fs/open.c:921)\\nvfs_open (fs/open.c:1052)\\n...\\n\\nFreed by task 4116:\\nkfree (mm/slab_common.c:1016)\\nvc_port_destruct (drivers/tty/vt/vt.c:1044)\\ntty_port_destructor (drivers/tty/tty_port.c:296)\\ntty_port_put (drivers/tty/tty_port.c:312)\\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\\ntty_ioctl (drivers/tty/tty_io.c:2778)\\n...\\n\\nThe buggy address belongs to the object at ffff8880beab8800\\n which belongs to the cache kmalloc-1k of size 1024\\nThe buggy address is located 424 bytes inside of\\n freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)\\n\\nThe buggy address belongs to the physical page:\\npage:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000\\n    index:0x0 pfn:0xbeab8\\nhead:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0\\n    pincount:0\\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\\npage_type: 0xffffffff()\\nraw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002\\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\n\\nMemory state around the buggy address:\\n ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n\u003effff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n                                  ^\\n ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n==================================================================\\nDisabling lock debugging due to kernel taint\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.