fkie_cve-2023-53021
Vulnerability from fkie_nvd
Published
2025-03-27 17:15
Modified
2025-04-01 15:40
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_taprio: fix possible use-after-free syzbot reported a nasty crash [1] in net_tx_action() which made little sense until we got a repro. This repro installs a taprio qdisc, but providing an invalid TCA_RATE attribute. qdisc_create() has to destroy the just initialized taprio qdisc, and taprio_destroy() is called. However, the hrtimer used by taprio had already fired, therefore advance_sched() called __netif_schedule(). Then net_tx_action was trying to use a destroyed qdisc. We can not undo the __netif_schedule(), so we must wait until one cpu serviced the qdisc before we can proceed. Many thanks to Alexander Potapenko for his help. [1] BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline] BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] do_raw_spin_trylock include/linux/spinlock.h:191 [inline] __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 spin_trylock include/linux/spinlock.h:359 [inline] qdisc_run_begin include/net/sch_generic.h:187 [inline] qdisc_run+0xee/0x540 include/net/pkt_sched.h:125 net_tx_action+0x77c/0x9a0 net/core/dev.c:5086 __do_softirq+0x1cc/0x7fb kernel/softirq.c:571 run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 Uninit was created at: slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc_node mm/slub.c:3258 [inline] __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970 kmalloc_reserve net/core/skbuff.c:358 [inline] __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430 alloc_skb include/linux/skbuff.h:1257 [inline] nlmsg_new include/net/netlink.h:953 [inline] netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436 netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507 rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536 __sys_sendmsg net/socket.c:2565 [inline] __do_sys_sendmsg net/socket.c:2574 [inline] __se_sys_sendmsg net/socket.c:2572 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caaePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbcPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.2
linux linux_kernel 6.2
linux linux_kernel 6.2
linux linux_kernel 6.2


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "79CA608C-BC5E-4BB5-9250-771AEC44F412",
              "versionEndExcluding": "5.4.231",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A44D9D24-661C-40D4-8735-4CEB1C7C02F2",
              "versionEndExcluding": "5.10.166",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91C2E92D-CC25-4FBD-8824-56A148119D7E",
              "versionEndExcluding": "5.15.91",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED5B6045-B1D2-4E03-B194-9005A351BCAE",
              "versionEndExcluding": "6.1.9",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: sch_taprio: correcci\u00f3n de posible error de use-after-free syzbot report\u00f3 un fallo grave [1] en net_tx_action() que no ten\u00eda sentido hasta que se reprodujo. Esta reproducci\u00f3n instala una qdisc de Taprio, pero proporciona un atributo TCA_RATE no v\u00e1lido. qdisc_create() debe destruir la qdisc de Taprio reci\u00e9n inicializada, y se llama a taprio_destroy(). Sin embargo, el temporizador hr usado por Taprio ya se hab\u00eda ejecutado, por lo que advance_sched() llam\u00f3 a __netif_schedule(). Entonces, net_tx_action intentaba usar una qdisc destruida. No podemos deshacer __netif_schedule(), por lo que debemos esperar a que una CPU haya dado servicio a la qdisc antes de continuar. Muchas gracias a Alexander Potapenko por su ayuda. [1] ERROR: KMSAN: valor no inicializado en queued_spin_trylock include/asm-generic/qspinlock.h:94 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en do_raw_spin_trylock include/linux/spinlock.h:191 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 queued_spin_trylock include/asm-generic/qspinlock.h:94 [en l\u00ednea] do_raw_spin_trylock include/linux/spinlock.h:191 [en l\u00ednea] __raw_spin_trylock incluir/linux/spinlock_api_smp.h:89 [en l\u00ednea] _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 spin_trylock incluir/linux/spinlock.h:359 [en l\u00ednea] qdisc_run_begin incluir/net/sch_generic.h:187 [en l\u00ednea] qdisc_run+0xee/0x540 incluir/net/pkt_sched.h:125 net_tx_action+0x77c/0x9a0 net/core/dev.c:5086 __do_softirq+0x1cc/0x7fb kernel/softirq.c:571 run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 Uninit se cre\u00f3 en: slab_post_alloc_hook mm/slab.h:732 [en l\u00ednea] slab_alloc_node mm/slub.c:3258 [en l\u00ednea] __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970 kmalloc_reserve net/core/skbuff.c:358 [en l\u00ednea] __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430 alloc_skb include/linux/skbuff.h:1257 [en l\u00ednea] nlmsg_new include/net/netlink.h:953 [en l\u00ednea] netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436 netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507 rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en l\u00ednea] netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [en l\u00ednea] sock_sendmsg net/socket.c:734 [en l\u00ednea] ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536 __sys_sendmsg net/socket.c:2565 [en l\u00ednea] __do_sys_sendmsg net/socket.c:2574 [en l\u00ednea] __se_sys_sendmsg net/socket.c:2572 [en l\u00ednea] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 13 Comm: ksoftirqd/0 No contaminado 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 22/07/2022"
    }
  ],
  "id": "CVE-2023-53021",
  "lastModified": "2025-04-01T15:40:10.120",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-27T17:15:51.580",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caae"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.