CVE-2023-52885

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-52885
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b Patch
https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f Patch
https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428 Patch
https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065 Patch
https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254 Patch
https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e Patch
https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee Patch
https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

21 Aug 2024, 17:03

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b - () https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b - Patch
References () https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f - () https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f - Patch
References () https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428 - () https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428 - Patch
References () https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065 - () https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065 - Patch
References () https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254 - () https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254 - Patch
References () https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e - () https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e - Patch
References () https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee - () https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee - Patch
References () https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287 - () https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287 - Patch
CWE CWE-416
First Time Linux linux Kernel
Linux
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

15 Jul 2024, 13:00

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: SUNRPC: corrige UAF en svc_tcp_listen_data_ready() Después de que se libera el oyente svc_sock, y antes de invocar svc_tcp_accept() para el calcetín secundario establecido, hay una ventana que indica que el newsock retiene un oyente liberado. svc_sock en sk_user_data que clona desde el padre. En la ventana de ejecución, si se reciben datos en el newsock, observaremos el informe de use-after-free en svc_tcp_listen_data_ready(). Reproducir mediante dos tareas: 1. while:; hacer rpc.nfsd 0; rpc.nfsd; hecho 2. mientras:; hacer eco "" | ncat -4 127.0.0.1 2049; Informe KASAN hecho: ================================================= ==================== ERROR: KASAN: slab-use-after-free en svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Lectura de tamaño 8 en la dirección ffff888139d96228 por tarea nc /102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Nombre de hardware: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/11/2020 Seguimiento de llamadas: dump_stack_lvl+ 0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_ establecido+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 Process_backlog+0x24c/0x5e 0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 ... Asignado por la tarea 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] 0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x3 8/0x90 Entry_SYSCALL_64_after_hwframe+0x72/0xdc Liberado por la tarea 102551: kasan_save_stack +0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] _destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+ 0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entrada_SYSCALL_ 64_after_hwframe+0x72/0xdc Arregle el UAF simplemente sin hacer nada en svc_tcp_listen_data_ready() si state!= TCP_LISTEN, eso evitará desreferenciar svsk para todos los sockets secundarios.

14 Jul 2024, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-14 08:15

Updated : 2024-08-21 17:03

NVD link : CVE-2023-52885

Mitre link : CVE-2023-52885

CVE.ORG link : CVE-2023-52885

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024