| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123028-CVE-2023-54195-07d1@gregkh> Date: Tue, 30 Dec 2025 13:10:03 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54195: rxrpc: Fix timeout of a call that hasn't yet been granted a channel From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn't yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal. The Linux kernel CVE team has assigned CVE-2023-54195 to this issue. Affected and fixed versions =========================== Issue introduced in 6.2 with commit 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d and fixed in 6.2.16 with commit 92128a7170a220b5126d09a1c1954a3a8d46cef3 Issue introduced in 6.2 with commit 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d and fixed in 6.3.3 with commit 72f4a9f3f447948cf86dffe1c4a4c8a429ab9666 Issue introduced in 6.2 with commit 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d and fixed in 6.4 with commit db099c625b13a74d462521a46d98a8ce5b53af5d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54195 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/afs/afs.h fs/afs/internal.h fs/afs/rxrpc.c include/net/af_rxrpc.h net/rxrpc/af_rxrpc.c net/rxrpc/ar-internal.h net/rxrpc/call_object.c net/rxrpc/sendmsg.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3 https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666 https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d
Powered by blists - more mailing lists