| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122428-CVE-2023-54006-d646@gregkh>
Date: Wed, 24 Dec 2025 11:56:50 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54006: af_unix: Fix data-race around unix_tot_inflight.
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-race around unix_tot_inflight.
unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
unix_release_sock() reads it locklessly.
Let's use READ_ONCE() for unix_tot_inflight.
Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
annote lockless accesses to unix_tot_inflight & gc_in_progress")
BUG: KCSAN: data-race in unix_inflight / unix_release_sock
write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
unix_inflight+0x130/0x180 net/unix/scm.c:64
unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:747
____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
___sys_sendmsg+0xc6/0x140 net/socket.c:2547
__sys_sendmsg+0x94/0x140 net/socket.c:2576
__do_sys_sendmsg net/socket.c:2585 [inline]
__se_sys_sendmsg net/socket.c:2583 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
unix_release+0x59/0x80 net/unix/af_unix.c:1058
__sock_release+0x7d/0x170 net/socket.c:653
sock_close+0x19/0x30 net/socket.c:1385
__fput+0x179/0x5e0 fs/file_table.c:321
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x116/0x1a0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
The Linux kernel CVE team has assigned CVE-2023-54006 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 4.14.326 with commit 31b46d5e7c4e295bd112960614a66a177a057dca
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 4.19.295 with commit 20aa8325464d8905450089eed96ca102a074d853
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 5.4.257 with commit 5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 5.10.195 with commit cf29b42766ad4af2ae6a449f583796951551b48d
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 5.15.132 with commit e5edc6e44a882c0458878ab10eaddfe60ac34e57
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 6.1.54 with commit 2d8933ca863e252fb09ad0be483255e3dfeb1f54
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 6.5.4 with commit afc284a4a781defbb12b2a40427fae34c3d20e17
Issue introduced in 2.6.24 with commit 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 and fixed in 6.6 with commit ade32bd8a738d7497ffe9743c46728db26740f78
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54006
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/unix/af_unix.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca
https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853
https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840
https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d
https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57
https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54
https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17
https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78
Powered by blists - more mailing lists