| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120951-CVE-2023-53825-1018@gregkh>
Date: Tue, 9 Dec 2025 10:31:09 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53825: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
following sendmsg() will resume from the skb.
However, we cannot know how many bytes were copied when we get the error.
Thus, we could mess up the MSG_MORE queue.
When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
do so for UDP by udp_flush_pending_frames().
Even without this change, when the error occurred, the following sendmsg()
resumed from a wrong skb and the queue was messed up. However, we have
yet to get such a report, and only syzkaller stumbled on it. So, this
can be changed safely.
Note this does not change SOCK_SEQPACKET behaviour.
The Linux kernel CVE team has assigned CVE-2023-53825 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 4.14.326 with commit 21b467735b0888a8daa048f83d3b9b50fdab71ce
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 4.19.295 with commit d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.4.257 with commit 1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.10.195 with commit 2e18493c421428a936946c452461b8e979088f17
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.15.132 with commit 55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 6.1.54 with commit e5b28ce127a690f3acc49a6a342e6c9442c9edd6
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 6.5.4 with commit 992b2ac783aad360b98ed9d4686e86176a20f6f1
Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 6.6 with commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53825
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/kcm/kcmsock.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/21b467735b0888a8daa048f83d3b9b50fdab71ce
https://git.kernel.org/stable/c/d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b
https://git.kernel.org/stable/c/1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b
https://git.kernel.org/stable/c/2e18493c421428a936946c452461b8e979088f17
https://git.kernel.org/stable/c/55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc
https://git.kernel.org/stable/c/e5b28ce127a690f3acc49a6a342e6c9442c9edd6
https://git.kernel.org/stable/c/992b2ac783aad360b98ed9d4686e86176a20f6f1
https://git.kernel.org/stable/c/a22730b1b4bf437c6bbfdeff5feddf54be4aeada
Powered by blists - more mailing lists