In the Linux kernel, the following vulnerability has been resolved:
afunix: fix use-after-free in unixstreamreadactor()
syzbot reported the following crash [1]
After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us.
[1]
BUG: KASAN: slab-use-after-free in unixstreamreadactor+0xa7/0xc0 net/unix/afunix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297
CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xd9/0x1b0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:364 [inline] printreport+0xc4/0x620 mm/kasan/report.c:475 kasanreport+0xda/0x110 mm/kasan/report.c:588 unixstreamreadactor+0xa7/0xc0 net/unix/afunix.c:2866 unixstreamrecvurg net/unix/afunix.c:2587 [inline] unixstreamreadgeneric+0x19a5/0x2480 net/unix/afunix.c:2666 unixstreamrecvmsg+0x189/0x1b0 net/unix/afunix.c:2903 sockrecvmsgnosec net/socket.c:1044 [inline] sockrecvmsg+0xe2/0x170 net/socket.c:1066 _sysrecvmsg+0x21f/0x5c0 net/socket.c:2803 _sysrecvmsg+0x115/0x1a0 net/socket.c:2845 _sysrecvmsg+0x114/0x1e0 net/socket.c:2875 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x3f/0x110 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK>
Allocated by task 5295: kasansavestack+0x33/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 kasanslaballoc+0x81/0x90 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:188 [inline] slabpostallochook mm/slab.h:763 [inline] slaballocnode mm/slub.c:3478 [inline] kmemcacheallocnode+0x180/0x3c0 mm/slub.c:3523 _allocskb+0x287/0x330 net/core/skbuff.c:641 allocskb include/linux/skbuff.h:1286 [inline] allocskbwithfrags+0xe4/0x710 net/core/skbuff.c:6331 sockallocsendpskb+0x7e4/0x970 net/core/sock.c:2780 sockallocsendskb include/net/sock.h:1884 [inline] queueoob net/unix/afunix.c:2147 [inline] unixstreamsendmsg+0xb5f/0x10a0 net/unix/afunix.c:2301 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0xd5/0x180 net/socket.c:745 _syssendmsg+0x6ac/0x940 net/socket.c:2584 _syssendmsg+0x135/0x1d0 net/socket.c:2638 _syssendmsg+0x117/0x1e0 net/socket.c:2667 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x3f/0x110 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0x6b
Freed by task 5295: kasansavestack+0x33/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 kasansavefreeinfo+0x2b/0x40 mm/kasan/generic.c:522 kasanslabfree mm/kasan/common.c:236 [inline] _kasanslabfree+0x15b/0x1b0 mm/kasan/common.c:200 kasanslabfree include/linux/kasan.h:164 [inline] slabfreehook mm/slub.c:1800 [inline] slabfreefreelisthook+0x114/0x1e0 mm/slub.c:1826 slabfree mm/slub.c:3809 [inline] kmemcachefree+0xf8/0x340 mm/slub.c:3831 kfreeskbmem+0xef/0x1b0 net/core/skbuff.c:1015 _kfreeskb net/core/skbuff.c:1073 [inline] consumeskb net/core/skbuff.c:1288 [inline] consumeskb+0xdf/0x170 net/core/skbuff.c:1282 queueoob net/unix/af_unix.c:2178 [inline] u ---truncated---
{ "vanir_signatures": [ { "digest": { "length": 719.0, "function_hash": "14460727214906403442988954938372941246" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75bcfc188abf4fae9c1d5f5dc0a03540be602eef", "signature_type": "Function", "target": { "function": "unix_stream_recv_urg", "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-44f87f16" }, { "digest": { "line_hashes": [ "168344302152716606160961578214885429874", "55205394900931448133122118734605915500", "2670971427589229912416157393051028082", "219382435236205528027196446740878483402", "56782629806247992896158929447074116451", "38453450129905191237203402404100460129", "268323683517676337123010734425356800897", "150436429497525248634651395917006370056", "272710964457692086946974176764510295681" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@069a3ec329ff43e7869a3d94c62cd03203016bce", "signature_type": "Line", "target": { "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-8ba62967" }, { "digest": { "length": 719.0, "function_hash": "14460727214906403442988954938372941246" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b7b492615cf3017190f55444f7016812b66611d", "signature_type": "Function", "target": { "function": "unix_stream_recv_urg", "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-a10e1629" }, { "digest": { "line_hashes": [ "168344302152716606160961578214885429874", "55205394900931448133122118734605915500", "2670971427589229912416157393051028082", "219382435236205528027196446740878483402", "56782629806247992896158929447074116451", "38453450129905191237203402404100460129", "268323683517676337123010734425356800897", "150436429497525248634651395917006370056", "272710964457692086946974176764510295681" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b7b492615cf3017190f55444f7016812b66611d", "signature_type": "Line", "target": { "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-a51fc746" }, { "digest": { "length": 719.0, "function_hash": "14460727214906403442988954938372941246" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@069a3ec329ff43e7869a3d94c62cd03203016bce", "signature_type": "Function", "target": { "function": "unix_stream_recv_urg", "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-c7c79b76" }, { "digest": { "line_hashes": [ "168344302152716606160961578214885429874", "55205394900931448133122118734605915500", "2670971427589229912416157393051028082", "219382435236205528027196446740878483402", "56782629806247992896158929447074116451", "38453450129905191237203402404100460129", "268323683517676337123010734425356800897", "150436429497525248634651395917006370056", "272710964457692086946974176764510295681" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d179189eec426fe4801e4b91efa1889faed12700", "signature_type": "Line", "target": { "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-cc856fd9" }, { "digest": { "length": 719.0, "function_hash": "14460727214906403442988954938372941246" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d179189eec426fe4801e4b91efa1889faed12700", "signature_type": "Function", "target": { "function": "unix_stream_recv_urg", "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-da0e336f" }, { "digest": { "line_hashes": [ "168344302152716606160961578214885429874", "55205394900931448133122118734605915500", "2670971427589229912416157393051028082", "219382435236205528027196446740878483402", "56782629806247992896158929447074116451", "38453450129905191237203402404100460129", "268323683517676337123010734425356800897", "150436429497525248634651395917006370056", "272710964457692086946974176764510295681" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75bcfc188abf4fae9c1d5f5dc0a03540be602eef", "signature_type": "Line", "target": { "file": "net/unix/af_unix.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2023-52772-fc57e4cd" } ] }