CVE-2023-52578
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
02/03/2024
Last modified:
11/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: bridge: use DEV_STATS_INC()<br />
<br />
syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]<br />
This function can run from multiple cpus without mutual exclusion.<br />
<br />
Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.<br />
<br />
Handles updates to dev->stats.tx_dropped while we are at it.<br />
<br />
[1]<br />
BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish<br />
<br />
read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:<br />
br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189<br />
br_nf_hook_thresh+0x1ed/0x220<br />
br_nf_pre_routing_finish_ipv6+0x50f/0x540<br />
NF_HOOK include/linux/netfilter.h:304 [inline]<br />
br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178<br />
br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508<br />
nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]<br />
nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]<br />
br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417<br />
__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417<br />
__netif_receive_skb_one_core net/core/dev.c:5521 [inline]<br />
__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637<br />
process_backlog+0x21f/0x380 net/core/dev.c:5965<br />
__napi_poll+0x60/0x3b0 net/core/dev.c:6527<br />
napi_poll net/core/dev.c:6594 [inline]<br />
net_rx_action+0x32b/0x750 net/core/dev.c:6727<br />
__do_softirq+0xc1/0x265 kernel/softirq.c:553<br />
run_ksoftirqd+0x17/0x20 kernel/softirq.c:921<br />
smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164<br />
kthread+0x1d7/0x210 kernel/kthread.c:388<br />
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br />
<br />
read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:<br />
br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189<br />
br_nf_hook_thresh+0x1ed/0x220<br />
br_nf_pre_routing_finish_ipv6+0x50f/0x540<br />
NF_HOOK include/linux/netfilter.h:304 [inline]<br />
br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178<br />
br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508<br />
nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]<br />
nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]<br />
br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417<br />
__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417<br />
__netif_receive_skb_one_core net/core/dev.c:5521 [inline]<br />
__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637<br />
process_backlog+0x21f/0x380 net/core/dev.c:5965<br />
__napi_poll+0x60/0x3b0 net/core/dev.c:6527<br />
napi_poll net/core/dev.c:6594 [inline]<br />
net_rx_action+0x32b/0x750 net/core/dev.c:6727<br />
__do_softirq+0xc1/0x265 kernel/softirq.c:553<br />
do_softirq+0x5e/0x90 kernel/softirq.c:454<br />
__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381<br />
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]<br />
_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210<br />
spin_unlock_bh include/linux/spinlock.h:396 [inline]<br />
batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356<br />
batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560<br />
process_one_work kernel/workqueue.c:2630 [inline]<br />
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703<br />
worker_thread+0x525/0x730 kernel/workqueue.c:2784<br />
kthread+0x1d7/0x210 kernel/kthread.c:388<br />
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304<br />
<br />
value changed: 0x00000000000d7190 -> 0x00000000000d7191<br />
<br />
Reported by Kernel Concurrency Sanitizer on:<br />
CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
Impact
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.17 (including) | 4.19.296 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.198 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.134 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.56 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.5.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd
- https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4
- https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
- https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394
- https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5
- https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839
- https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
- https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd
- https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4
- https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
- https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394
- https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5
- https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839
- https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa