[SRU][F/J/L][PATCH 0/1] CVE-2023-4622
Yuxuan Luo
yuxuan.luo at canonical.com
Fri Sep 15 14:05:50 UTC 2023
On 9/15/23 04:14, Stefan Bader wrote:
> On 15.09.23 00:13, Yuxuan Luo wrote:
>>
>> On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote:
>>> On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote:
>>>> [Impact]
>>>> A use-after-free vulnerability in the Linux kernel's af_unix
>>>> component can
>>>> be exploited to achieve local privilege escalation. The
>>>> unix_stream_sendpage() function tries to add data to the last skb
>>>> in the
>>>> peer's recv queue without locking the queue. Thus there is a race
>>>> where
>>>> unix_stream_sendpage() could access an skb locklessly that is being
>>>> released by garbage collection, resulting in use-after-free. We
>>>> recommend
>>>> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
>>>>
>>>> [Backport]
>>>> Backported from stable/linux-6.1.y tree; it is a clean cherry pick.
>>>>
>>> Though this is said in the commit message, I think it is important
>>> to explain
>>> why this was picked from a stable release. sendpage got some
>>> refactoring during
>>> 6.5 development and so this issue does not affect mainline.
>>>
>>> So upstream applied a fix on the stable releases to avoid
>>> backporting that
>>> refactoring.
>>>
>>> Cascardo.
>>>
>>>> [Test]
>>>> Smoke tested via building an AF_UNIX echo server and connecting to it.
>>>>
>>>> [Potential Regression]
>>>> Expect very low regression.
>>>>
>>> This could regress sendpage on unix sockets. The smoke test could be
>>> improved
>>> by doing some sendfile on the socket.
>>
>> Now smoke tested again with sendfile() (which eventually triggers the
>> modified unix_stream_sendpage()).
>
> Is that good or bad?
>
> -Stefan
Test results came out good: the sendfile() worked as intended.
>
>>
>>>
>>>> Kuniyuki Iwashima (1):
>>>> af_unix: Fix null-ptr-deref in unix_stream_sendpage().
>>>>
>>>> net/unix/af_unix.c | 9 ++++-----
>>>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>>>
>>>> --
>>>> 2.34.1
>>>>
>>>>
>>>> --
>>>> kernel-team mailing list
>>>> kernel-team at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>>
>
More information about the kernel-team
mailing list