Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-53088

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
05/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix UaF in listener shutdown<br /> <br /> As reported by Christoph after having refactored the passive<br /> socket initialization, the mptcp listener shutdown path is prone<br /> to an UaF issue.<br /> <br /> BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0<br /> Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266<br /> <br /> CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6e/0x91<br /> print_report+0x16a/0x46f<br /> kasan_report+0xad/0x130<br /> kasan_check_range+0x14a/0x1a0<br /> _raw_spin_lock_bh+0x73/0xe0<br /> subflow_error_report+0x6d/0x110<br /> sk_error_report+0x3b/0x190<br /> tcp_disconnect+0x138c/0x1aa0<br /> inet_child_forget+0x6f/0x2e0<br /> inet_csk_listen_stop+0x209/0x1060<br /> __mptcp_close_ssk+0x52d/0x610<br /> mptcp_destroy_common+0x165/0x640<br /> mptcp_destroy+0x13/0x80<br /> __mptcp_destroy_sock+0xe7/0x270<br /> __mptcp_close+0x70e/0x9b0<br /> mptcp_close+0x2b/0x150<br /> inet_release+0xe9/0x1f0<br /> __sock_release+0xd2/0x280<br /> sock_close+0x15/0x20<br /> __fput+0x252/0xa20<br /> task_work_run+0x169/0x250<br /> exit_to_user_mode_prepare+0x113/0x120<br /> syscall_exit_to_user_mode+0x1d/0x40<br /> do_syscall_64+0x48/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> The msk grace period can legitly expire in between the last<br /> reference count dropped in mptcp_subflow_queue_clean() and<br /> the later eventual access in inet_csk_listen_stop()<br /> <br /> After the previous patch we don&amp;#39;t need anymore special-casing<br /> msk listener socket cleanup: the mptcp worker will process each<br /> of the unaccepted msk sockets.<br /> <br /> Just drop the now unnecessary code.<br /> <br /> Please note this commit depends on the two parent ones:<br /> <br /> mptcp: refactor passive socket initialization<br /> mptcp: use the workqueue to destroy unaccepted sockets

Impact

References to Advisories, Solutions, and Tools