CVE-2023-53204
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-races around user->unix_inflight.
user->unix_inflight is changed under spin_lock(unix_gc_lock), but too_many_unix_fds() reads it locklessly.
Let's annotate the write/read accesses to user->unix_inflight.
BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: unix_inflight+0x157/0x180 net/unix/scm.c:66 unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: too_many_unix_fds net/unix/scm.c:101 [inline] unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
value changed: 0x000000000000000c -> 0x000000000000000d
Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < df97b5ea9f3ac9308c3a633524dab382cd59d9e5 | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < 03d133dfbcec9d439729cc64706c7eb6d1663a24 | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < adcf4e069358cdee8593663650ea447215a1c49e | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < b401d7e485b0a234cf8fe9a6ae99dbcd20863138 | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < 9151ed4b006125cba7c06c79df504340ea4e9386 | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < ac92f239a079678a035c0faad9089354a874aede | affected |
| Linux | Linux | 712f4aad406bb1ed67f3f98d04c044191f0ff593 < 0bc36c0650b21df36fbec8136add83936eaf0607 | affected |
| Linux | Linux | a5a6cf8c405e826ff7ed1308dde72560c0ed4854 | affected |
| Linux | Linux | df87da0783c4492b944badfea9d5c3c56b834697 | affected |
| Linux | Linux | 3d024dcef2548028e9f9b7876a544e6e0af00175 | affected |
| Linux | Linux | aa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90 | affected |
| Linux | Linux | a5b9e44af8d3edaf49d14a91cc519a9fba439e67 | affected |
| Linux | Linux | dc6b0ec667f67d4768e72c1b7f1bbc14ea52379c | affected |
| Linux | Linux | 9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3b | affected |
| Linux | Linux | 5e226f9689d90ad8ab21b4a969ae3058777f0aff | affected |
| Linux | Linux | 3.2.78 < 3.3 | affected |
| Linux | Linux | 3.10.96 < 3.11 | affected |
| Linux | Linux | 3.12.57 < 3.13 | affected |
| Linux | Linux | 3.14.60 < 3.15 | affected |
| Linux | Linux | 3.18.27 < 3.19 | affected |
| Linux | Linux | 4.1.17 < 4.2 | affected |
| Linux | Linux | 4.3.5 < 4.4 | affected |
| Linux | Linux | 4.4.1 < 4.5 | affected |
| Linux | Linux | 4.5 | affected |
| Linux | Linux | 0 < 4.5 | unaffected |
| Linux | Linux | 4.14.326 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.295 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.257 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.195 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.132 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.54 <= 6.1.* | unaffected |
| Linux | Linux | 6.5.4 <= 6.5.* | unaffected |
| Linux | Linux | 6.6 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/df97b5ea9f3ac9308c3a633524dab382cd59d9e5
- https://git.kernel.org/stable/c/03d133dfbcec9d439729cc64706c7eb6d1663a24
- https://git.kernel.org/stable/c/adcf4e069358cdee8593663650ea447215a1c49e
- https://git.kernel.org/stable/c/b401d7e485b0a234cf8fe9a6ae99dbcd20863138
- https://git.kernel.org/stable/c/9151ed4b006125cba7c06c79df504340ea4e9386
- https://git.kernel.org/stable/c/b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f
- https://git.kernel.org/stable/c/ac92f239a079678a035c0faad9089354a874aede
- https://git.kernel.org/stable/c/0bc36c0650b21df36fbec8136add83936eaf0607
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.