| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091859-CVE-2023-53445-7b18@gregkh> Date: Thu, 18 Sep 2025 18:04:36 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53445: net: qrtr: Fix a refcount bug in qrtr_recvmsg() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix a refcount bug in qrtr_recvmsg() Syzbot reported a bug as following: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace: <TASK> __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline] qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline] qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline] qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1038 qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688 process_one_work+0x991/0x15c0 kernel/workqueue.c:2390 worker_thread+0x669/0x1090 kernel/workqueue.c:2537 It occurs in the concurrent scenario of qrtr_recvmsg() and qrtr_endpoint_unregister() as following: cpu0 cpu1 qrtr_recvmsg qrtr_endpoint_unregister qrtr_send_resume_tx qrtr_node_release qrtr_node_lookup mutex_lock(&qrtr_node_lock) spin_lock_irqsave(&qrtr_nodes_lock, ) refcount_dec_and_test(&node->ref) [node->ref == 0] radix_tree_lookup [node != NULL] __qrtr_node_release qrtr_node_acquire spin_lock_irqsave(&qrtr_nodes_lock, ) kref_get(&node->ref) [WARNING] ... mutex_unlock(&qrtr_node_lock) Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this is actually improving the protection of node reference. The Linux kernel CVE team has assigned CVE-2023-53445 to this issue. Affected and fixed versions =========================== Issue introduced in 5.6 with commit 0a7e0d0ef05440db03c3199e84d228db943b237f and fixed in 5.10.178 with commit 98a9cd82c541ef6cbdb829cd6c05cbbb471e373c Issue introduced in 5.6 with commit 0a7e0d0ef05440db03c3199e84d228db943b237f and fixed in 5.15.107 with commit b9ba5906c42089f8e1d0001b7b50a7940f086cbb Issue introduced in 5.6 with commit 0a7e0d0ef05440db03c3199e84d228db943b237f and fixed in 6.1.24 with commit aa95efa187b4114075f312b3c4680d050b56fdec Issue introduced in 5.6 with commit 0a7e0d0ef05440db03c3199e84d228db943b237f and fixed in 6.2.11 with commit 48a07f6e00d305597396da4d7494b81cec05b9d3 Issue introduced in 5.6 with commit 0a7e0d0ef05440db03c3199e84d228db943b237f and fixed in 6.3 with commit 44d807320000db0d0013372ad39b53e12d52f758 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53445 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/qrtr/af_qrtr.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/98a9cd82c541ef6cbdb829cd6c05cbbb471e373c https://git.kernel.org/stable/c/b9ba5906c42089f8e1d0001b7b50a7940f086cbb https://git.kernel.org/stable/c/aa95efa187b4114075f312b3c4680d050b56fdec https://git.kernel.org/stable/c/48a07f6e00d305597396da4d7494b81cec05b9d3 https://git.kernel.org/stable/c/44d807320000db0d0013372ad39b53e12d52f758
Powered by blists - more mailing lists