CVE-2023-53204

Summary

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix data-races around user->unix_inflight.

user->unix_inflight is changed under spin_lock(unix_gc_lock), but too_many_unix_fds() reads it locklessly.

Let's annotate the write/read accesses to user->unix_inflight.

BUG: KCSAN: data-race in unix_attach_fds / unix_inflight

write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1: unix_inflight+0x157/0x180 net/unix/scm.c:66 unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0: too_many_unix_fds net/unix/scm.c:101 [inline] unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110 unix_scm_to_skb net/unix/af_unix.c:1827 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline] unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg+0x148/0x160 net/socket.c:748 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548 __sys_sendmsg+0x94/0x140 net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

value changed: 0x000000000000000c -> 0x000000000000000d

Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

Affected Software

VendorProductVersion RangeStatus
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < df97b5ea9f3ac9308c3a633524dab382cd59d9e5affected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < 03d133dfbcec9d439729cc64706c7eb6d1663a24affected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < adcf4e069358cdee8593663650ea447215a1c49eaffected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < b401d7e485b0a234cf8fe9a6ae99dbcd20863138affected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < 9151ed4b006125cba7c06c79df504340ea4e9386affected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250faffected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < ac92f239a079678a035c0faad9089354a874aedeaffected
LinuxLinux712f4aad406bb1ed67f3f98d04c044191f0ff593 < 0bc36c0650b21df36fbec8136add83936eaf0607affected
LinuxLinuxa5a6cf8c405e826ff7ed1308dde72560c0ed4854affected
LinuxLinuxdf87da0783c4492b944badfea9d5c3c56b834697affected
LinuxLinux3d024dcef2548028e9f9b7876a544e6e0af00175affected
LinuxLinuxaa51d1c24ec3b6605f7cc7ef500c96cd71d7ef90affected
LinuxLinuxa5b9e44af8d3edaf49d14a91cc519a9fba439e67affected
LinuxLinuxdc6b0ec667f67d4768e72c1b7f1bbc14ea52379caffected
LinuxLinux9b8b611fe0f86f07a4ff4a5f3bcb0ea7ceb7da3baffected
LinuxLinux5e226f9689d90ad8ab21b4a969ae3058777f0affaffected
LinuxLinux3.2.78 < 3.3affected
LinuxLinux3.10.96 < 3.11affected
LinuxLinux3.12.57 < 3.13affected
LinuxLinux3.14.60 < 3.15affected
LinuxLinux3.18.27 < 3.19affected
LinuxLinux4.1.17 < 4.2affected
LinuxLinux4.3.5 < 4.4affected
LinuxLinux4.4.1 < 4.5affected
LinuxLinux4.5affected
LinuxLinux0 < 4.5unaffected
LinuxLinux4.14.326 <= 4.14.*unaffected
LinuxLinux4.19.295 <= 4.19.*unaffected
LinuxLinux5.4.257 <= 5.4.*unaffected
LinuxLinux5.10.195 <= 5.10.*unaffected
LinuxLinux5.15.132 <= 5.15.*unaffected
LinuxLinux6.1.54 <= 6.1.*unaffected
LinuxLinux6.5.4 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

References