CVE-2023-52772
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
24/05/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
af_unix: fix use-after-free in unix_stream_read_actor()<br />
<br />
syzbot reported the following crash [1]<br />
<br />
After releasing unix socket lock, u->oob_skb can be changed<br />
by another thread. We must temporarily increase skb refcount<br />
to make sure this other thread will not free the skb under us.<br />
<br />
[1]<br />
<br />
BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866<br />
Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297<br />
<br />
CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:88 [inline]<br />
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106<br />
print_address_description mm/kasan/report.c:364 [inline]<br />
print_report+0xc4/0x620 mm/kasan/report.c:475<br />
kasan_report+0xda/0x110 mm/kasan/report.c:588<br />
unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866<br />
unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]<br />
unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666<br />
unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903<br />
sock_recvmsg_nosec net/socket.c:1044 [inline]<br />
sock_recvmsg+0xe2/0x170 net/socket.c:1066<br />
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803<br />
___sys_recvmsg+0x115/0x1a0 net/socket.c:2845<br />
__sys_recvmsg+0x114/0x1e0 net/socket.c:2875<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
RIP: 0033:0x7fc67492c559<br />
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f<br />
RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559<br />
RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004<br />
RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340<br />
R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388<br />
<br />
<br />
Allocated by task 5295:<br />
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45<br />
kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br />
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328<br />
kasan_slab_alloc include/linux/kasan.h:188 [inline]<br />
slab_post_alloc_hook mm/slab.h:763 [inline]<br />
slab_alloc_node mm/slub.c:3478 [inline]<br />
kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523<br />
__alloc_skb+0x287/0x330 net/core/skbuff.c:641<br />
alloc_skb include/linux/skbuff.h:1286 [inline]<br />
alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331<br />
sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780<br />
sock_alloc_send_skb include/net/sock.h:1884 [inline]<br />
queue_oob net/unix/af_unix.c:2147 [inline]<br />
unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301<br />
sock_sendmsg_nosec net/socket.c:730 [inline]<br />
__sock_sendmsg+0xd5/0x180 net/socket.c:745<br />
____sys_sendmsg+0x6ac/0x940 net/socket.c:2584<br />
___sys_sendmsg+0x135/0x1d0 net/socket.c:2638<br />
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x63/0x6b<br />
<br />
Freed by task 5295:<br />
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45<br />
kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br />
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522<br />
____kasan_slab_free mm/kasan/common.c:236 [inline]<br />
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200<br />
kasan_slab_free include/linux/kasan.h:164 [inline]<br />
slab_free_hook mm/slub.c:1800 [inline]<br />
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826<br />
slab_free mm/slub.c:3809 [inline]<br />
kmem_cache_free+0xf8/0x340 mm/slub.c:3831<br />
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015<br />
__kfree_skb net/core/skbuff.c:1073 [inline]<br />
consume_skb net/core/skbuff.c:1288 [inline]<br />
consume_skb+0xdf/0x170 net/core/skbuff.c:1282<br />
queue_oob net/unix/af_unix.c:2178 [inline]<br />
u<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15 (including) | 5.15.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.64 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.5.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6 (including) | 6.6.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce
- https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d
- https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef
- https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700
- https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0