CVE-2023-53781

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smc: Fix use-after-free in tcp_write_timer_handler().<br /> <br /> With Eric&amp;#39;s ref tracker, syzbot finally found a repro for<br /> use-after-free in tcp_write_timer_handler() by kernel TCP<br /> sockets. [0]<br /> <br /> If SMC creates a kernel socket in __smc_create(), the kernel<br /> socket is supposed to be freed in smc_clcsock_release() by<br /> calling sock_release() when we close() the parent SMC socket.<br /> <br /> However, at the end of smc_clcsock_release(), the kernel<br /> socket&amp;#39;s sk_state might not be TCP_CLOSE. This means that<br /> we have not called inet_csk_destroy_sock() in __tcp_close()<br /> and have not stopped the TCP timers.<br /> <br /> The kernel socket&amp;#39;s TCP timers can be fired later, so we<br /> need to hold a refcnt for net as we do for MPTCP subflows<br /> in mptcp_subflow_create_socket().<br /> <br /> [0]:<br /> leaked reference.<br /> sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)<br /> inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)<br /> __sock_create (net/socket.c:1546)<br /> smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)<br /> __sock_create (net/socket.c:1546)<br /> __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)<br /> __x64_sys_socket (net/socket.c:1672)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)<br /> Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091<br /> <br /> CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:107)<br /> print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)<br /> kasan_report (mm/kasan/report.c:538)<br /> tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)<br /> tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)<br /> call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)<br /> __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)<br /> run_timer_softirq (kernel/time/timer.c:2037)<br /> __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)<br /> __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)<br /> irq_exit_rcu (kernel/softirq.c:664)<br /> sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))<br />