CVE-2023-53426

Summary

In the Linux kernel, the following vulnerability has been resolved:

xsk: Fix xsk_diag use-after-free error during socket cleanup

Fix a use-after-free error that is possible if the xsk_diag interface is used after the socket has been unbound from the device. This can happen either due to the socket being closed or the device disappearing. In the early days of AF_XDP, the way we tested that a socket was not bound to a device was to simply check if the netdevice pointer in the xsk socket structure was NULL. Later, a better system was introduced by having an explicit state variable in the xsk socket struct. For example, the state of a socket that is on the way to being closed and has been unbound from the device is XSK_UNBOUND.

The commit in the Fixes tag below deleted the old way of signalling that a socket is unbound, setting dev to NULL. This in the belief that all code using the old way had been exterminated. That was unfortunately not true as the xsk diagnostics code was still using the old way and thus does not work as intended when a socket is going down. Fix this by introducing a test against the state variable. If the socket is in the state XSK_UNBOUND, simply abort the diagnostic's netlink operation.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxad7219cd8751bd258b9d1e69ae0654ec00f71875 < 5979985f2d6b565b6cf0f79a62670a2855c0e96caffected
LinuxLinux18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 < 6436973164ea5506a495f39e56be5aea375e7832affected
LinuxLinux18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 < 595931912357fa3507e522a7f8a0a76e423c23e4affected
LinuxLinux18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 < 3e019d8a05a38abb5c85d4f1e85fda964610aa14affected
LinuxLinuxd1579253ffce39986e7a6ab757ac93b2680a665faffected
LinuxLinux8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9affected
LinuxLinux5.15.33 < 5.15.132affected
LinuxLinux5.16.19 < 5.17affected
LinuxLinux5.17.2 < 5.18affected
LinuxLinux5.18affected
LinuxLinux0 < 5.18unaffected
LinuxLinux5.15.132 <= 5.15.*unaffected
LinuxLinux6.1.54 <= 6.1.*unaffected
LinuxLinux6.5.4 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References