CVE-2023-54195

Summary

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix timeout of a call that hasn't yet been granted a channel

afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
 <TASK>
 rxrpc_send_ACK+0x50/0x13b
 rxrpc_input_call_event+0x16a/0x67d
 rxrpc_io_thread+0x1b6/0x45f
 ? _raw_spin_unlock_irqrestore+0x1f/0x35
 ? rxrpc_input_packet+0x519/0x519
 kthread+0xe7/0xef
 ? kthread_complete_and_exit+0x1b/0x1b
 ret_from_fork+0x22/0x30

Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted.

It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d < 92128a7170a220b5126d09a1c1954a3a8d46cef3affected
LinuxLinux9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d < 72f4a9f3f447948cf86dffe1c4a4c8a429ab9666affected
LinuxLinux9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d < db099c625b13a74d462521a46d98a8ce5b53af5daffected
LinuxLinux6.2affected
LinuxLinux0 < 6.2unaffected
LinuxLinux6.2.16 <= 6.2.*unaffected
LinuxLinux6.3.3 <= 6.3.*unaffected
LinuxLinux6.4 <= *unaffected

Weaknesses

References