CVE-2023-54161

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Fix null-ptr-deref in unix_stream_sendpage().<br /> <br /> Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage()<br /> with detailed analysis and a nice repro.<br /> <br /> unix_stream_sendpage() tries to add data to the last skb in the peer&amp;#39;s<br /> recv queue without locking the queue.<br /> <br /> If the peer&amp;#39;s FD is passed to another socket and the socket&amp;#39;s FD is<br /> passed to the peer, there is a loop between them. If we close both<br /> sockets without receiving FD, the sockets will be cleaned up by garbage<br /> collection.<br /> <br /> The garbage collection iterates such sockets and unlinks skb with<br /> FD from the socket&amp;#39;s receive queue under the queue&amp;#39;s lock.<br /> <br /> So, there is a race where unix_stream_sendpage() could access an skb<br /> locklessly that is being released by garbage collection, resulting in<br /> use-after-free.<br /> <br /> To avoid the issue, unix_stream_sendpage() must lock the peer&amp;#39;s recv<br /> queue.<br /> <br /> Note the issue does not exist in 6.5+ thanks to the recent sendpage()<br /> refactoring.<br /> <br /> This patch is originally written by Linus Torvalds.<br /> <br /> BUG: unable to handle page fault for address: ffff988004dd6870<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> PREEMPT SMP PTI<br /> CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0<br /> Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44<br /> RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246<br /> RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284<br /> RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0<br /> RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003<br /> R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00<br /> R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8<br /> FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x1a/0x1f<br /> ? page_fault_oops+0xa9/0x1e0<br /> ? fixup_exception+0x1d/0x310<br /> ? exc_page_fault+0xa8/0x150<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? kmem_cache_alloc_node+0xa2/0x1e0<br /> ? __alloc_skb+0x16c/0x1e0<br /> __alloc_skb+0x16c/0x1e0<br /> alloc_skb_with_frags+0x48/0x1e0<br /> sock_alloc_send_pskb+0x234/0x270<br /> unix_stream_sendmsg+0x1f5/0x690<br /> sock_sendmsg+0x5d/0x60<br /> ____sys_sendmsg+0x210/0x260<br /> ___sys_sendmsg+0x83/0xd0<br /> ? kmem_cache_alloc+0xc6/0x1c0<br /> ? avc_disable+0x20/0x20<br /> ? percpu_counter_add_batch+0x53/0xc0<br /> ? alloc_empty_file+0x5d/0xb0<br /> ? alloc_file+0x91/0x170<br /> ? alloc_file_pseudo+0x94/0x100<br /> ? __fget_light+0x9f/0x120<br /> __sys_sendmsg+0x54/0xa0<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x69/0xd3<br /> RIP: 0033:0x7f174d639a7d<br /> Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48<br /> RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d<br /> RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007<br /> RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff<br /> R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28<br /> R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000<br />