| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100425-CVE-2023-53587-411f@gregkh>
Date: Sat, 4 Oct 2025 17:51:41 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53587: ring-buffer: Sync IRQ works before buffer destruction
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Sync IRQ works before buffer destruction
If something was written to the buffer just before destruction,
it may be possible (maybe not in a real system, but it did
happen in ARCH=um with time-travel) to destroy the ringbuffer
before the IRQ work ran, leading this KASAN report (or a crash
without KASAN):
BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a
Read of size 8 at addr 000000006d640a48 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7
Stack:
60c4f20f 0c203d48 41b58ab3 60f224fc
600477fa 60f35687 60c4f20f 601273dd
00000008 6101eb00 6101eab0 615be548
Call Trace:
[<60047a58>] show_stack+0x25e/0x282
[<60c609e0>] dump_stack_lvl+0x96/0xfd
[<60c50d4c>] print_report+0x1a7/0x5a8
[<603078d3>] kasan_report+0xc1/0xe9
[<60308950>] __asan_report_load8_noabort+0x1b/0x1d
[<60232844>] irq_work_run_list+0x11a/0x13a
[<602328b4>] irq_work_tick+0x24/0x34
[<6017f9dc>] update_process_times+0x162/0x196
[<6019f335>] tick_sched_handle+0x1a4/0x1c3
[<6019fd9e>] tick_sched_timer+0x79/0x10c
[<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695
[<60182913>] hrtimer_interrupt+0x16c/0x2c4
[<600486a3>] um_timer+0x164/0x183
[...]
Allocated by task 411:
save_stack_trace+0x99/0xb5
stack_trace_save+0x81/0x9b
kasan_save_stack+0x2d/0x54
kasan_set_track+0x34/0x3e
kasan_save_alloc_info+0x25/0x28
____kasan_kmalloc+0x8b/0x97
__kasan_kmalloc+0x10/0x12
__kmalloc+0xb2/0xe8
load_elf_phdrs+0xee/0x182
[...]
The buggy address belongs to the object at 000000006d640800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 584 bytes inside of
freed 1024-byte region [000000006d640800, 000000006d640c00)
Add the appropriate irq_work_sync() so the work finishes before
the buffers are destroyed.
Prior to the commit in the Fixes tag below, there was only a
single global IRQ work, so this issue didn't exist.
The Linux kernel CVE team has assigned CVE-2023-53587 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 4.14.315 with commit 372c5ee537b8366b64b691ba29e9335525e1655e
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 4.19.283 with commit 2702b67f59d455072a08dc40312f9b090d4dec04
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 5.4.243 with commit 2399b1fda025e939b6fb1ac94505bcf718534e65
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 5.10.180 with commit 1c99f65d6af2a454bfd5207b4f6a97c8474a1191
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 5.15.111 with commit c63741e872fcfb10e153517750f7908f0c00f60d
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 6.1.28 with commit d9834abd8b24d1fe8092859e436fe1e0fd467c61
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 6.2.15 with commit fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 6.3.2 with commit 0a65165bd24ee9231191597b7c232376fcd70cdb
Issue introduced in 3.10 with commit 15693458c4bc0693fd63a50d60f35b628fcf4e29 and fixed in 6.4 with commit 675751bb20634f981498c7d66161584080cc061e
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53587
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/trace/ring_buffer.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/372c5ee537b8366b64b691ba29e9335525e1655e
https://git.kernel.org/stable/c/2702b67f59d455072a08dc40312f9b090d4dec04
https://git.kernel.org/stable/c/2399b1fda025e939b6fb1ac94505bcf718534e65
https://git.kernel.org/stable/c/1c99f65d6af2a454bfd5207b4f6a97c8474a1191
https://git.kernel.org/stable/c/c63741e872fcfb10e153517750f7908f0c00f60d
https://git.kernel.org/stable/c/d9834abd8b24d1fe8092859e436fe1e0fd467c61
https://git.kernel.org/stable/c/fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76
https://git.kernel.org/stable/c/0a65165bd24ee9231191597b7c232376fcd70cdb
https://git.kernel.org/stable/c/675751bb20634f981498c7d66161584080cc061e
Powered by blists - more mailing lists