| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050236-CVE-2023-53136-74ee@gregkh> Date: Fri, 2 May 2025 17:56:41 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53136: af_unix: fix struct pid leaks in OOB support From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: af_unix: fix struct pid leaks in OOB support syzbot reported struct pid leak [1]. Issue is that queue_oob() calls maybe_add_creds() which potentially holds a reference on a pid. But skb->destructor is not set (either directly or by calling unix_scm_to_skb()) This means that subsequent kfree_skb() or consume_skb() would leak this reference. In this fix, I chose to fully support scm even for the OOB message. [1] BUG: memory leak unreferenced object 0xffff8881053e7f80 (size 128): comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180 [<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285 [<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684 [<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825 [<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 [<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The Linux kernel CVE team has assigned CVE-2023-53136 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 5.15.103 with commit f3969427fb06a2c3cd6efd7faab63505cfa76e76 Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.1.20 with commit ac1968ac399205fda9ee3b18f7de7416cb3a5d0d Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.2.7 with commit a59d6306263c38e5c0592ea4451ca26a0778c947 Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53136 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/unix/af_unix.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f3969427fb06a2c3cd6efd7faab63505cfa76e76 https://git.kernel.org/stable/c/ac1968ac399205fda9ee3b18f7de7416cb3a5d0d https://git.kernel.org/stable/c/a59d6306263c38e5c0592ea4451ca26a0778c947 https://git.kernel.org/stable/c/2aab4b96900272885bc157f8b236abf1cdc02e08
Powered by blists - more mailing lists