{"api_version":"1","generated_at":"2026-04-13T19:47:59+00:00","cve":"CVE-2023-52975","urls":{"html":"https://cve.report/CVE-2023-52975","api":"https://cve.report/api/cve/CVE-2023-52975.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-52975","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-52975"},"summary":{"title":"scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3\n[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[  276.944470] Call Trace:\n[  276.944943]  <TASK>\n[  276.945397]  dump_stack_lvl+0x34/0x48\n[  276.945887]  print_address_description.constprop.0+0x86/0x1e7\n[  276.946421]  print_report+0x36/0x4f\n[  276.947358]  kasan_report+0xad/0x130\n[  276.948234]  kasan_check_range+0x35/0x1c0\n[  276.948674]  _raw_spin_lock_bh+0x78/0xe0\n[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[  276.952185]  dev_attr_show+0x3f/0x80\n[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0\n[  276.953401]  seq_read_iter+0x402/0x1020\n[  276.954260]  vfs_read+0x532/0x7b0\n[  276.955113]  ksys_read+0xed/0x1c0\n[  276.955952]  do_syscall_64+0x38/0x90\n[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.956769] RIP: 0033:0x7f5d3a679222\n[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[  276.960536]  </TASK>\n[  276.961357] Allocated by task 2209:\n[  276.961756]  kasan_save_stack+0x1e/0x40\n[  276.962170]  kasan_set_track+0x21/0x30\n[  276.962557]  __kasan_kmalloc+0x7e/0x90\n[  276.962923]  __kmalloc+0x5b/0x140\n[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]\n[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.965546]  netlink_unicast+0x4d5/0x7b0\n[  276.965905]  netlink_sendmsg+0x78d/0xc30\n[  276.966236]  sock_sendmsg+0xe5/0x120\n[  276.966576]  ____sys_sendmsg+0x5fe/0x860\n[  276.966923]  ___sys_sendmsg+0xe0/0x170\n[  276.967300]  __sys_sendmsg+0xc8/0x170\n[  276.967666]  do_syscall_64+0x38/0x90\n[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.968773] Freed by task 2209:\n[  276.969111]  kasan_save_stack+0x1e/0x40\n[  276.969449]  kasan_set_track+0x21/0x30\n[  276.969789]  kasan_save_free_info+0x2a/0x50\n[  276.970146]  __kasan_slab_free+0x106/0x190\n[  276.970470]  __kmem_cache_free+0x133/0x270\n[  276.970816]  device_release+0x98/0x210\n[  276.971145]  kobject_cleanup+0x101/0x360\n[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.972808]  netlink_unicast+0x4d5/0x7b0\n[  276.973201]  netlink_sendmsg+0x78d/0xc30\n[  276.973544]  sock_sendmsg+0xe5/0x120\n[  276.973864]  ____sys_sendmsg+0x5fe/0x860\n[  276.974248]  ___sys_\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2025-03-27 17:15:44","updated_at":"2026-04-01 18:09:42"},"problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1","name":"https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06","name":"https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b","name":"https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0af745fddefbd56198f4f35eb309215ee5f9e21e","name":"https://git.kernel.org/stable/c/0af745fddefbd56198f4f35eb309215ee5f9e21e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-52975","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52975","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 0af745fddefbd56198f4f35eb309215ee5f9e21e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 17b738590b97fb3fc287289971d1519ff9b875a1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 8859687f5b242c0b057461df0a9ff51d5500783b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a79af8a64d395bd89de8695a5ea5e1a7f01f02a8 6f1d64b13097e85abda0f91b5638000afc5f9a06 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.39","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.39 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.248 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.93 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.11 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.2 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"52975","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2023-52975","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-03-27T16:59:46.852113Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-416","description":"CWE-416 Use After Free","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-03-27T17:08:22.400Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/scsi/iscsi_tcp.c","drivers/scsi/libiscsi.c","include/scsi/libiscsi.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"0af745fddefbd56198f4f35eb309215ee5f9e21e","status":"affected","version":"a79af8a64d395bd89de8695a5ea5e1a7f01f02a8","versionType":"git"},{"lessThan":"17b738590b97fb3fc287289971d1519ff9b875a1","status":"affected","version":"a79af8a64d395bd89de8695a5ea5e1a7f01f02a8","versionType":"git"},{"lessThan":"8859687f5b242c0b057461df0a9ff51d5500783b","status":"affected","version":"a79af8a64d395bd89de8695a5ea5e1a7f01f02a8","versionType":"git"},{"lessThan":"6f1d64b13097e85abda0f91b5638000afc5f9a06","status":"affected","version":"a79af8a64d395bd89de8695a5ea5e1a7f01f02a8","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/scsi/iscsi_tcp.c","drivers/scsi/libiscsi.c","include/scsi/libiscsi.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.39"},{"lessThan":"2.6.39","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.248","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.93","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.2","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.248","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.93","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.11","versionStartIncluding":"2.6.39","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.2","versionStartIncluding":"2.6.39","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3\n[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[  276.944470] Call Trace:\n[  276.944943]  <TASK>\n[  276.945397]  dump_stack_lvl+0x34/0x48\n[  276.945887]  print_address_description.constprop.0+0x86/0x1e7\n[  276.946421]  print_report+0x36/0x4f\n[  276.947358]  kasan_report+0xad/0x130\n[  276.948234]  kasan_check_range+0x35/0x1c0\n[  276.948674]  _raw_spin_lock_bh+0x78/0xe0\n[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[  276.952185]  dev_attr_show+0x3f/0x80\n[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0\n[  276.953401]  seq_read_iter+0x402/0x1020\n[  276.954260]  vfs_read+0x532/0x7b0\n[  276.955113]  ksys_read+0xed/0x1c0\n[  276.955952]  do_syscall_64+0x38/0x90\n[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.956769] RIP: 0033:0x7f5d3a679222\n[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[  276.960536]  </TASK>\n[  276.961357] Allocated by task 2209:\n[  276.961756]  kasan_save_stack+0x1e/0x40\n[  276.962170]  kasan_set_track+0x21/0x30\n[  276.962557]  __kasan_kmalloc+0x7e/0x90\n[  276.962923]  __kmalloc+0x5b/0x140\n[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]\n[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.965546]  netlink_unicast+0x4d5/0x7b0\n[  276.965905]  netlink_sendmsg+0x78d/0xc30\n[  276.966236]  sock_sendmsg+0xe5/0x120\n[  276.966576]  ____sys_sendmsg+0x5fe/0x860\n[  276.966923]  ___sys_sendmsg+0xe0/0x170\n[  276.967300]  __sys_sendmsg+0xc8/0x170\n[  276.967666]  do_syscall_64+0x38/0x90\n[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.968773] Freed by task 2209:\n[  276.969111]  kasan_save_stack+0x1e/0x40\n[  276.969449]  kasan_set_track+0x21/0x30\n[  276.969789]  kasan_save_free_info+0x2a/0x50\n[  276.970146]  __kasan_slab_free+0x106/0x190\n[  276.970470]  __kmem_cache_free+0x133/0x270\n[  276.970816]  device_release+0x98/0x210\n[  276.971145]  kobject_cleanup+0x101/0x360\n[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.972808]  netlink_unicast+0x4d5/0x7b0\n[  276.973201]  netlink_sendmsg+0x78d/0xc30\n[  276.973544]  sock_sendmsg+0xe5/0x120\n[  276.973864]  ____sys_sendmsg+0x5fe/0x860\n[  276.974248]  ___sys_\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-01-19T12:17:43.562Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/0af745fddefbd56198f4f35eb309215ee5f9e21e"},{"url":"https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1"},{"url":"https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b"},{"url":"https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06"}],"title":"scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2023-52975","datePublished":"2025-03-27T16:43:15.322Z","dateReserved":"2025-03-27T16:40:15.737Z","dateUpdated":"2026-01-19T12:17:43.562Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-27 17:15:44","lastModifiedDate":"2026-04-01 18:09:42","problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.248","matchCriteriaId":"B42E4BD5-25E8-46E1-9C5E-FEED77EA97B1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.93","matchCriteriaId":"98FAC10E-42A0-4372-B1A0-A49CF672890E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.11","matchCriteriaId":"535D03F4-DA02-49FE-934E-668827E6407B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*","matchCriteriaId":"FF501633-2F44-4913-A8EE-B021929F49F6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*","matchCriteriaId":"2BDA597B-CAC1-4DF0-86F0-42E142C654E9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*","matchCriteriaId":"725C78C9-12CE-406F-ABE8-0813A01D66E8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*","matchCriteriaId":"A127C155-689C-4F67-B146-44A57F4BFD85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*","matchCriteriaId":"D34127CC-68F5-4703-A5F6-5006F803E4AE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2023","CveId":"52975","Ordinal":"1","Title":"scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ","CVE":"CVE-2023-52975","Year":"2023"},"notes":[{"CveYear":"2023","CveId":"52975","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3\n[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[  276.944470] Call Trace:\n[  276.944943]  <TASK>\n[  276.945397]  dump_stack_lvl+0x34/0x48\n[  276.945887]  print_address_description.constprop.0+0x86/0x1e7\n[  276.946421]  print_report+0x36/0x4f\n[  276.947358]  kasan_report+0xad/0x130\n[  276.948234]  kasan_check_range+0x35/0x1c0\n[  276.948674]  _raw_spin_lock_bh+0x78/0xe0\n[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[  276.952185]  dev_attr_show+0x3f/0x80\n[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0\n[  276.953401]  seq_read_iter+0x402/0x1020\n[  276.954260]  vfs_read+0x532/0x7b0\n[  276.955113]  ksys_read+0xed/0x1c0\n[  276.955952]  do_syscall_64+0x38/0x90\n[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.956769] RIP: 0033:0x7f5d3a679222\n[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[  276.960536]  </TASK>\n[  276.961357] Allocated by task 2209:\n[  276.961756]  kasan_save_stack+0x1e/0x40\n[  276.962170]  kasan_set_track+0x21/0x30\n[  276.962557]  __kasan_kmalloc+0x7e/0x90\n[  276.962923]  __kmalloc+0x5b/0x140\n[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]\n[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.965546]  netlink_unicast+0x4d5/0x7b0\n[  276.965905]  netlink_sendmsg+0x78d/0xc30\n[  276.966236]  sock_sendmsg+0xe5/0x120\n[  276.966576]  ____sys_sendmsg+0x5fe/0x860\n[  276.966923]  ___sys_sendmsg+0xe0/0x170\n[  276.967300]  __sys_sendmsg+0xc8/0x170\n[  276.967666]  do_syscall_64+0x38/0x90\n[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  276.968773] Freed by task 2209:\n[  276.969111]  kasan_save_stack+0x1e/0x40\n[  276.969449]  kasan_set_track+0x21/0x30\n[  276.969789]  kasan_save_free_info+0x2a/0x50\n[  276.970146]  __kasan_slab_free+0x106/0x190\n[  276.970470]  __kmem_cache_free+0x133/0x270\n[  276.970816]  device_release+0x98/0x210\n[  276.971145]  kobject_cleanup+0x101/0x360\n[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[  276.972808]  netlink_unicast+0x4d5/0x7b0\n[  276.973201]  netlink_sendmsg+0x78d/0xc30\n[  276.973544]  sock_sendmsg+0xe5/0x120\n[  276.973864]  ____sys_sendmsg+0x5fe/0x860\n[  276.974248]  ___sys_\n---truncated---","Type":"Description","Title":"scsi: iscsi_tcp: Fix UAF during logout when accessing the shost "}]}}}