[SRU][F/J/L][PATCH 0/1] CVE-2023-4622
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Sep 13 22:03:01 UTC 2023
On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's af_unix component can
> be exploited to achieve local privilege escalation. The
> unix_stream_sendpage() function tries to add data to the last skb in the
> peer's recv queue without locking the queue. Thus there is a race where
> unix_stream_sendpage() could access an skb locklessly that is being
> released by garbage collection, resulting in use-after-free. We recommend
> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
>
> [Backport]
> Backported from stable/linux-6.1.y tree; it is a clean cherry pick.
>
Though this is said in the commit message, I think it is important to explain
why this was picked from a stable release. sendpage got some refactoring during
6.5 development and so this issue does not affect mainline.
So upstream applied a fix on the stable releases to avoid backporting that
refactoring.
Cascardo.
> [Test]
> Smoke tested via building an AF_UNIX echo server and connecting to it.
>
> [Potential Regression]
> Expect very low regression.
>
This could regress sendpage on unix sockets. The smoke test could be improved
by doing some sendfile on the socket.
> Kuniyuki Iwashima (1):
> af_unix: Fix null-ptr-deref in unix_stream_sendpage().
>
> net/unix/af_unix.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list