CVE-2023-54142

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gtp: Fix use-after-free in __gtp_encap_destroy().<br /> <br /> syzkaller reported use-after-free in __gtp_encap_destroy(). [0]<br /> <br /> It shows the same process freed sk and touched it illegally.<br /> <br /> Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()<br /> and release_sock() in __gtp_encap_destroy() to protect sk-&gt;sk_user_data,<br /> but release_sock() is called after sock_put() releases the last refcnt.<br /> <br /> [0]:<br /> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]<br /> BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]<br /> BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]<br /> BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]<br /> BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178<br /> Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401<br /> <br /> CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:351 [inline]<br /> print_report+0xcc/0x620 mm/kasan/report.c:462<br /> kasan_report+0xb2/0xe0 mm/kasan/report.c:572<br /> check_region_inline mm/kasan/generic.c:181 [inline]<br /> kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]<br /> queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]<br /> do_raw_spin_lock include/linux/spinlock.h:186 [inline]<br /> __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]<br /> _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178<br /> spin_lock_bh include/linux/spinlock.h:355 [inline]<br /> release_sock+0x1f/0x1a0 net/core/sock.c:3526<br /> gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]<br /> gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664<br /> gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728<br /> unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841<br /> rtnl_delete_link net/core/rtnetlink.c:3216 [inline]<br /> rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268<br /> rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423<br /> netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]<br /> netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365<br /> netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913<br /> sock_sendmsg_nosec net/socket.c:724 [inline]<br /> sock_sendmsg+0x1b7/0x200 net/socket.c:747<br /> ____sys_sendmsg+0x75a/0x990 net/socket.c:2493<br /> ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547<br /> __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> RIP: 0033:0x7f1168b1fe5d<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d<br /> RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003<br /> RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000<br /> <br /> <br /> Allocated by task 1483:<br /> kasan_save_stack+0x22/0x50 mm/kasan/common.c:45<br /> kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br /> __kasan_slab_alloc+0x<br /> ---truncated---