CVE-2023-52885

HIGH EPSS 11.9%
Published Jul 14, 20241y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Jul 14, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥4.8  –  <4.14.322
linuxlinux_kernel*≥4.15  –  <4.19.291
linuxlinux_kernel*≥4.20  –  <5.4.251
linuxlinux_kernel*≥5.5  –  <5.10.188
linuxlinux_kernel*≥5.11  –  <5.15.121
linuxlinux_kernel*≥5.16  –  <6.1.39
linuxlinux_kernel*≥6.2  –  <6.4.4

References 8

  • git.kernel.org https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287
    Patch