[SRU][F/J/L][PATCH 0/1] CVE-2023-4622
Yuxuan Luo
yuxuan.luo at canonical.com
Thu Sep 14 22:13:34 UTC 2023
On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote:
> On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote:
>> [Impact]
>> A use-after-free vulnerability in the Linux kernel's af_unix component can
>> be exploited to achieve local privilege escalation. The
>> unix_stream_sendpage() function tries to add data to the last skb in the
>> peer's recv queue without locking the queue. Thus there is a race where
>> unix_stream_sendpage() could access an skb locklessly that is being
>> released by garbage collection, resulting in use-after-free. We recommend
>> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
>>
>> [Backport]
>> Backported from stable/linux-6.1.y tree; it is a clean cherry pick.
>>
> Though this is said in the commit message, I think it is important to explain
> why this was picked from a stable release. sendpage got some refactoring during
> 6.5 development and so this issue does not affect mainline.
>
> So upstream applied a fix on the stable releases to avoid backporting that
> refactoring.
>
> Cascardo.
>
>> [Test]
>> Smoke tested via building an AF_UNIX echo server and connecting to it.
>>
>> [Potential Regression]
>> Expect very low regression.
>>
> This could regress sendpage on unix sockets. The smoke test could be improved
> by doing some sendfile on the socket.
Now smoke tested again with sendfile() (which eventually triggers the
modified unix_stream_sendpage()).
>
>> Kuniyuki Iwashima (1):
>> af_unix: Fix null-ptr-deref in unix_stream_sendpage().
>>
>> net/unix/af_unix.c | 9 ++++-----
>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> --
>> 2.34.1
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list