CVE-2023-53198

In the Linux kernel, the following vulnerability has been resolved:

raw: Fix NULL deref in rawgetnext().

Dae R. Jeong reported a NULL deref in rawgetnext() [0].

It seems that the repro was running these sequences in parallel so that one thread was iterating on a socket that was being freed in another netns.

unshare(0x40060200) r0 = syzopenprocfs(0x0, &(0x7f0000002080)='net/raw\x00') socket$ineticmpraw(0x2, 0x3, 0x1) pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f)

After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we use RCU and hlistnullsforeachentry() to iterate over SOCK_RAW sockets. However, we should use spinlock for slow paths to avoid the NULL deref.

Also, SOCKRAW does not use SLABTYPESAFEBYRCU, and the slab object is not reused during iteration in the grace period. In fact, the lockless readers do not check the nulls marker with getnullsvalue(). So, SOCKRAW should use hlist instead of hlistnulls.

Instead of adding an unnecessary barrier by sknullsforeachrcu(), let's convert hlistnulls to hlist and use skforeachrcu() for fast paths and skforeach() and spinlock for /proc/net/raw.

KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:readpnet include/net/netnamespace.h:383 [inline] RIP: 0010:socknet include/net/sock.h:649 [inline] RIP: 0010:rawgetnext net/ipv4/raw.c:974 [inline] RIP: 0010:rawgetidx net/ipv4/raw.c:986 [inline] RIP: 0010:rawseqstart+0x431/0x800 net/ipv4/raw.c:995 Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206 RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000 RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338 RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9 R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78 R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030 FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> seqreaditer+0x4c6/0x10f0 fs/seqfile.c:225 seqread+0x224/0x320 fs/seqfile.c:162 pderead fs/proc/inode.c:316 [inline] procregread+0x23f/0x330 fs/proc/inode.c:328 vfsread+0x31e/0xd30 fs/readwrite.c:468 ksyspread64 fs/readwrite.c:665 [inline] _dosyspread64 fs/readwrite.c:675 [inline] _sesyspread64 fs/readwrite.c:672 [inline] _x64syspread64+0x1e9/0x280 fs/readwrite.c:672 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x4e/0xa0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x478d29 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIGRAX: 0000000000000011 RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29 RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000 R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740 R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010 ---truncated---