In the Linux kernel, the following vulnerability has been resolved:
afunix: fix use-after-free in unixstreamreadactor()
syzbot reported the following crash [1]
After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us.
[1]
BUG: KASAN: slab-use-after-free in unixstreamreadactor+0xa7/0xc0 net/unix/afunix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297
CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xd9/0x1b0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:364 [inline] printreport+0xc4/0x620 mm/kasan/report.c:475 kasanreport+0xda/0x110 mm/kasan/report.c:588 unixstreamreadactor+0xa7/0xc0 net/unix/afunix.c:2866 unixstreamrecvurg net/unix/afunix.c:2587 [inline] unixstreamreadgeneric+0x19a5/0x2480 net/unix/afunix.c:2666 unixstreamrecvmsg+0x189/0x1b0 net/unix/afunix.c:2903 sockrecvmsgnosec net/socket.c:1044 [inline] sockrecvmsg+0xe2/0x170 net/socket.c:1066 _sysrecvmsg+0x21f/0x5c0 net/socket.c:2803 _sysrecvmsg+0x115/0x1a0 net/socket.c:2845 _sysrecvmsg+0x114/0x1e0 net/socket.c:2875 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x3f/0x110 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK>
Allocated by task 5295: kasansavestack+0x33/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 kasanslaballoc+0x81/0x90 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:188 [inline] slabpostallochook mm/slab.h:763 [inline] slaballocnode mm/slub.c:3478 [inline] kmemcacheallocnode+0x180/0x3c0 mm/slub.c:3523 _allocskb+0x287/0x330 net/core/skbuff.c:641 allocskb include/linux/skbuff.h:1286 [inline] allocskbwithfrags+0xe4/0x710 net/core/skbuff.c:6331 sockallocsendpskb+0x7e4/0x970 net/core/sock.c:2780 sockallocsendskb include/net/sock.h:1884 [inline] queueoob net/unix/afunix.c:2147 [inline] unixstreamsendmsg+0xb5f/0x10a0 net/unix/afunix.c:2301 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0xd5/0x180 net/socket.c:745 _syssendmsg+0x6ac/0x940 net/socket.c:2584 _syssendmsg+0x135/0x1d0 net/socket.c:2638 _syssendmsg+0x117/0x1e0 net/socket.c:2667 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x3f/0x110 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0x6b
Freed by task 5295: kasansavestack+0x33/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 kasansavefreeinfo+0x2b/0x40 mm/kasan/generic.c:522 kasanslabfree mm/kasan/common.c:236 [inline] _kasanslabfree+0x15b/0x1b0 mm/kasan/common.c:200 kasanslabfree include/linux/kasan.h:164 [inline] slabfreehook mm/slub.c:1800 [inline] slabfreefreelisthook+0x114/0x1e0 mm/slub.c:1826 slabfree mm/slub.c:3809 [inline] kmemcachefree+0xf8/0x340 mm/slub.c:3831 kfreeskbmem+0xef/0x1b0 net/core/skbuff.c:1015 _kfreeskb net/core/skbuff.c:1073 [inline] consumeskb net/core/skbuff.c:1288 [inline] consumeskb+0xdf/0x170 net/core/skbuff.c:1282 queueoob net/unix/af_unix.c:2178 [inline] u ---truncated---
[
{
"id": "CVE-2023-52772-44f87f16",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 719.0,
"function_hash": "14460727214906403442988954938372941246"
},
"target": {
"function": "unix_stream_recv_urg",
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75bcfc188abf4fae9c1d5f5dc0a03540be602eef",
"signature_type": "Function"
},
{
"id": "CVE-2023-52772-6ebb5c0f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 719.0,
"function_hash": "14460727214906403442988954938372941246"
},
"target": {
"function": "unix_stream_recv_urg",
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eae0b295ce16d8c8b4114c3037993191b4bb92f0",
"signature_type": "Function"
},
{
"id": "CVE-2023-52772-8ba62967",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"168344302152716606160961578214885429874",
"55205394900931448133122118734605915500",
"2670971427589229912416157393051028082",
"219382435236205528027196446740878483402",
"56782629806247992896158929447074116451",
"38453450129905191237203402404100460129",
"268323683517676337123010734425356800897",
"150436429497525248634651395917006370056",
"272710964457692086946974176764510295681"
],
"threshold": 0.9
},
"target": {
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@069a3ec329ff43e7869a3d94c62cd03203016bce",
"signature_type": "Line"
},
{
"id": "CVE-2023-52772-a10e1629",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 719.0,
"function_hash": "14460727214906403442988954938372941246"
},
"target": {
"function": "unix_stream_recv_urg",
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b7b492615cf3017190f55444f7016812b66611d",
"signature_type": "Function"
},
{
"id": "CVE-2023-52772-a47e8732",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"168344302152716606160961578214885429874",
"55205394900931448133122118734605915500",
"2670971427589229912416157393051028082",
"219382435236205528027196446740878483402",
"56782629806247992896158929447074116451",
"38453450129905191237203402404100460129",
"268323683517676337123010734425356800897",
"150436429497525248634651395917006370056",
"272710964457692086946974176764510295681"
],
"threshold": 0.9
},
"target": {
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eae0b295ce16d8c8b4114c3037993191b4bb92f0",
"signature_type": "Line"
},
{
"id": "CVE-2023-52772-a51fc746",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"168344302152716606160961578214885429874",
"55205394900931448133122118734605915500",
"2670971427589229912416157393051028082",
"219382435236205528027196446740878483402",
"56782629806247992896158929447074116451",
"38453450129905191237203402404100460129",
"268323683517676337123010734425356800897",
"150436429497525248634651395917006370056",
"272710964457692086946974176764510295681"
],
"threshold": 0.9
},
"target": {
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b7b492615cf3017190f55444f7016812b66611d",
"signature_type": "Line"
},
{
"id": "CVE-2023-52772-c7c79b76",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 719.0,
"function_hash": "14460727214906403442988954938372941246"
},
"target": {
"function": "unix_stream_recv_urg",
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@069a3ec329ff43e7869a3d94c62cd03203016bce",
"signature_type": "Function"
},
{
"id": "CVE-2023-52772-cc856fd9",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"168344302152716606160961578214885429874",
"55205394900931448133122118734605915500",
"2670971427589229912416157393051028082",
"219382435236205528027196446740878483402",
"56782629806247992896158929447074116451",
"38453450129905191237203402404100460129",
"268323683517676337123010734425356800897",
"150436429497525248634651395917006370056",
"272710964457692086946974176764510295681"
],
"threshold": 0.9
},
"target": {
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d179189eec426fe4801e4b91efa1889faed12700",
"signature_type": "Line"
},
{
"id": "CVE-2023-52772-da0e336f",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 719.0,
"function_hash": "14460727214906403442988954938372941246"
},
"target": {
"function": "unix_stream_recv_urg",
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d179189eec426fe4801e4b91efa1889faed12700",
"signature_type": "Function"
},
{
"id": "CVE-2023-52772-fc57e4cd",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"168344302152716606160961578214885429874",
"55205394900931448133122118734605915500",
"2670971427589229912416157393051028082",
"219382435236205528027196446740878483402",
"56782629806247992896158929447074116451",
"38453450129905191237203402404100460129",
"268323683517676337123010734425356800897",
"150436429497525248634651395917006370056",
"272710964457692086946974176764510295681"
],
"threshold": 0.9
},
"target": {
"file": "net/unix/af_unix.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75bcfc188abf4fae9c1d5f5dc0a03540be602eef",
"signature_type": "Line"
}
]