[SRU][F/J/L][PATCH 0/1] CVE-2023-4622
Stefan Bader
stefan.bader at canonical.com
Fri Sep 15 08:14:36 UTC 2023
On 15.09.23 00:13, Yuxuan Luo wrote:
>
> On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote:
>> On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote:
>>> [Impact]
>>> A use-after-free vulnerability in the Linux kernel's af_unix
>>> component can
>>> be exploited to achieve local privilege escalation. The
>>> unix_stream_sendpage() function tries to add data to the last skb in the
>>> peer's recv queue without locking the queue. Thus there is a race where
>>> unix_stream_sendpage() could access an skb locklessly that is being
>>> released by garbage collection, resulting in use-after-free. We
>>> recommend
>>> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
>>>
>>> [Backport]
>>> Backported from stable/linux-6.1.y tree; it is a clean cherry pick.
>>>
>> Though this is said in the commit message, I think it is important to
>> explain
>> why this was picked from a stable release. sendpage got some
>> refactoring during
>> 6.5 development and so this issue does not affect mainline.
>>
>> So upstream applied a fix on the stable releases to avoid backporting
>> that
>> refactoring.
>>
>> Cascardo.
>>
>>> [Test]
>>> Smoke tested via building an AF_UNIX echo server and connecting to it.
>>>
>>> [Potential Regression]
>>> Expect very low regression.
>>>
>> This could regress sendpage on unix sockets. The smoke test could be
>> improved
>> by doing some sendfile on the socket.
>
> Now smoke tested again with sendfile() (which eventually triggers the
> modified unix_stream_sendpage()).
Is that good or bad?
-Stefan
>
>>
>>> Kuniyuki Iwashima (1):
>>> af_unix: Fix null-ptr-deref in unix_stream_sendpage().
>>>
>>> net/unix/af_unix.c | 9 ++++-----
>>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>>
>>> --
>>> 2.34.1
>>>
>>>
>>> --
>>> kernel-team mailing list
>>> kernel-team at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230915/c24902cc/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230915/c24902cc/attachment-0001.sig>
More information about the kernel-team
mailing list