CVE-2023-53136

Summary

In the Linux kernel, the following vulnerability has been resolved:

af_unix: fix struct pid leaks in OOB support

syzbot reported struct pid leak [1].

Issue is that queue_oob() calls maybe_add_creds() which potentially holds a reference on a pid.

But skb->destructor is not set (either directly or by calling unix_scm_to_skb())

This means that subsequent kfree_skb() or consume_skb() would leak this reference.

In this fix, I chose to fully support scm even for the OOB message.

[1] BUG: memory leak unreferenced object 0xffff8881053e7f80 (size 128): comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180 [<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285 [<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684 [<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825 [<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 [<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Affected Software

VendorProductVersion RangeStatus
LinuxLinux314001f0bf927015e459c9d387d62a231fe93af3 < f3969427fb06a2c3cd6efd7faab63505cfa76e76affected
LinuxLinux314001f0bf927015e459c9d387d62a231fe93af3 < ac1968ac399205fda9ee3b18f7de7416cb3a5d0daffected
LinuxLinux314001f0bf927015e459c9d387d62a231fe93af3 < a59d6306263c38e5c0592ea4451ca26a0778c947affected
LinuxLinux314001f0bf927015e459c9d387d62a231fe93af3 < 2aab4b96900272885bc157f8b236abf1cdc02e08affected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.103 <= 5.15.*unaffected
LinuxLinux6.1.20 <= 6.1.*unaffected
LinuxLinux6.2.7 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References