CVE-2023-53023

Fix a use-after-free that occurs in kfreeskb() called from localcleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device. When detaching an nfc device, localcleanup() called from nfcllcpunregisterdevice() frees local->rxpending and decreases local->ref by krefput() in nfcllcplocalput(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, localcleanup() called from localrelease() frees local->rxpending again, which leads to the bug.

Setting local->rxpending to NULL in localcleanup() could prevent use-after-free when local_cleanup() is called twice.

Found by a modified version of syzkaller.

BUG: KASAN: use-after-free in kfree_skb()

Call Trace: dumpstacklvl (lib/dumpstack.c:106) printaddressdescription.constprop.0.cold (mm/kasan/report.c:306) kasancheckrange (mm/kasan/generic.c:189) kfreeskb (net/core/skbuff.c:955) localcleanup (net/nfc/llcpcore.c:159) nfcllcplocalput.part.0 (net/nfc/llcpcore.c:172) nfcllcplocalput (net/nfc/llcpcore.c:181) llcpsockdestruct (net/nfc/llcpsock.c:959) _skdestruct (net/core/sock.c:2133) skdestruct (net/core/sock.c:2181) _skfree (net/core/sock.c:2192) skfree (net/core/sock.c:2203) llcpsockrelease (net/nfc/llcpsock.c:646) _sockrelease (net/socket.c:650) sockclose (net/socket.c:1365) _fput (fs/filetable.c:306) taskworkrun (kernel/taskwork.c:179) ptracenotify (kernel/signal.c:2354) syscallexittousermodeprepare (kernel/entry/common.c:278) syscallexittousermode (kernel/entry/common.c:296) dosyscall64 (arch/x86/entry/common.c:86) entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:106)

Allocated by task 4719: kasansavestack (mm/kasan/common.c:45) _kasanslaballoc (mm/kasan/common.c:325) slabpostallochook (mm/slab.h:766) kmemcacheallocnode (mm/slub.c:3497) _allocskb (net/core/skbuff.c:552) pn533recvresponse (drivers/nfc/pn533/usb.c:65) _usbhcdgivebackurb (drivers/usb/core/hcd.c:1671) usbgivebackurbbh (drivers/usb/core/hcd.c:1704) taskletactioncommon.isra.0 (kernel/softirq.c:797) _dosoftirq (kernel/softirq.c:571)

Freed by task 1901: kasansavestack (mm/kasan/common.c:45) kasansettrack (mm/kasan/common.c:52) kasansavefreeinfo (mm/kasan/genericdd.c:518) _kasanslabfree (mm/kasan/common.c:236) kmemcachefree (mm/slub.c:3809) kfreeskbmem (net/core/skbuff.c:874) kfreeskb (net/core/skbuff.c:931) localcleanup (net/nfc/llcpcore.c:159) nfcllcpunregisterdevice (net/nfc/llcpcore.c:1617) nfcunregisterdevice (net/nfc/core.c:1179) pn53xunregisternfc (drivers/nfc/pn533/pn533.c:2846) pn533usbdisconnect (drivers/nfc/pn533/usb.c:579) usbunbindinterface (drivers/usb/core/driver.c:458) devicereleasedriverinternal (drivers/base/dd.c:1279) busremovedevice (drivers/base/bus.c:529) devicedel (drivers/base/core.c:3665) usbdisabledevice (drivers/usb/core/message.c:1420) usbdisconnect (drivers/usb/core.c:2261) hubevent (drivers/usb/core/hub.c:5833) processonework (arch/x86/include/asm/jumplabel.h:27 include/linux/jumplabel.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) workerthread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) retfromfork (arch/x86/entry/entry64.S:301)

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.178-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.7-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}