CVE-2023-53781
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-53781
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53781.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-53781
- Downstream
- Published
- 2025-12-09T00:00:36.831Z
- Modified
- 2025-12-09T03:25:14.334132Z
- Summary
- smc: Fix use-after-free in tcp_write_timer_handler().
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in tcpwritetimer_handler().
With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcpwritetimer_handler() by kernel TCP sockets. [0]
If SMC creates a kernel socket in _smccreate(), the kernel socket is supposed to be freed in smcclcsockrelease() by calling sock_release() when we close() the parent SMC socket.
However, at the end of smcclcsockrelease(), the kernel socket's skstate might not be TCPCLOSE. This means that we have not called inetcskdestroysock() in _tcp_close() and have not stopped the TCP timers.
The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcpsubflowcreate_socket().
skalloc (./include/net/netnamespace.h:335 net/core/sock.c:2108) inetcreate (net/ipv4/afinet.c:319 net/ipv4/afinet.c:244) _sockcreate (net/socket.c:1546) smccreate (net/smc/afsmc.c:3269 net/smc/afsmc.c:3284) _sockcreate (net/socket.c:1546) _syssocket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) _x64syssocket (net/socket.c:1672) dosyscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:120)
BUG: KASAN: slab-use-after-free in tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091
CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:107) printreport (mm/kasan/report.c:320 mm/kasan/report.c:430) kasanreport (mm/kasan/report.c:538) tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) tcpwritetimer (./include/linux/spinlock.h:390 net/ipv4/tcptimer.c:643) calltimerfn (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) _runtimers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) runtimersoftirq (kernel/time/timer.c:2037) _dosoftirq (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) _irqexitrcu (kernel/softirq.c:445 kernel/softirq.c:650) irqexitrcu (kernel/softirq.c:664) sysvecapictimerinterrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53781.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137
- https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53781.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53781
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedac7138746e14137a451f8539614cdd349153e0c0Fixed1cc41c8acfc1ee30b4868559058db97fa44b0137Fixed9744d2bf19762703704ecba885b7ac282c02eacf