fkie_cve-2023-53198
Vulnerability from fkie_nvd
Published
2025-09-15 14:15
Modified
2025-09-15 15:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: raw: Fix NULL deref in raw_get_next(). Dae R. Jeong reported a NULL deref in raw_get_next() [0]. It seems that the repro was running these sequences in parallel so that one thread was iterating on a socket that was being freed in another netns. unshare(0x40060200) r0 = syz_open_procfs(0x0, &(0x7f0000002080)='net/raw\x00') socket$inet_icmp_raw(0x2, 0x3, 0x1) pread64(r0, &(0x7f0000000000)=""/10, 0xa, 0x10000000007f) After commit 0daf07e52709 ("raw: convert raw sockets to RCU"), we use RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW sockets. However, we should use spinlock for slow paths to avoid the NULL deref. Also, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object is not reused during iteration in the grace period. In fact, the lockless readers do not check the nulls marker with get_nulls_value(). So, SOCK_RAW should use hlist instead of hlist_nulls. Instead of adding an unnecessary barrier by sk_nulls_for_each_rcu(), let's convert hlist_nulls to hlist and use sk_for_each_rcu() for fast paths and sk_for_each() and spinlock for /proc/net/raw. [0]: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_pnet include/net/net_namespace.h:383 [inline] RIP: 0010:sock_net include/net/sock.h:649 [inline] RIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline] RIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline] RIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995 Code: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef RSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206 RAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000 RDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338 RBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9 R10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78 R13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030 FS: 00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225 seq_read+0x224/0x320 fs/seq_file.c:162 pde_read fs/proc/inode.c:316 [inline] proc_reg_read+0x23f/0x330 fs/proc/inode.c:328 vfs_read+0x31e/0xd30 fs/read_write.c:468 ksys_pread64 fs/read_write.c:665 [inline] __do_sys_pread64 fs/read_write.c:675 [inline] __se_sys_pread64 fs/read_write.c:672 [inline] __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x478d29 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29 RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000 R10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740 R13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0a78cf7264d29abeca098eae0b188a10aabc8a32
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/67daeaecd70ef20ab540c21739d3f633734967a1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b34056bedf04d08ef24f713a7f93bad1274a838d
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nraw: Fix NULL deref in raw_get_next().\n\nDae R. Jeong reported a NULL deref in raw_get_next() [0].\n\nIt seems that the repro was running these sequences in parallel so\nthat one thread was iterating on a socket that was being freed in\nanother netns.\n\n  unshare(0x40060200)\n  r0 = syz_open_procfs(0x0, \u0026(0x7f0000002080)=\u0027net/raw\\x00\u0027)\n  socket$inet_icmp_raw(0x2, 0x3, 0x1)\n  pread64(r0, \u0026(0x7f0000000000)=\"\"/10, 0xa, 0x10000000007f)\n\nAfter commit 0daf07e52709 (\"raw: convert raw sockets to RCU\"), we\nuse RCU and hlist_nulls_for_each_entry() to iterate over SOCK_RAW\nsockets.  However, we should use spinlock for slow paths to avoid\nthe NULL deref.\n\nAlso, SOCK_RAW does not use SLAB_TYPESAFE_BY_RCU, and the slab object\nis not reused during iteration in the grace period.  In fact, the\nlockless readers do not check the nulls marker with get_nulls_value().\nSo, SOCK_RAW should use hlist instead of hlist_nulls.\n\nInstead of adding an unnecessary barrier by sk_nulls_for_each_rcu(),\nlet\u0027s convert hlist_nulls to hlist and use sk_for_each_rcu() for\nfast paths and sk_for_each() and spinlock for /proc/net/raw.\n\n[0]:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 2 PID: 20952 Comm: syz-executor.0 Not tainted 6.2.0-g048ec869bafd-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nRIP: 0010:read_pnet include/net/net_namespace.h:383 [inline]\nRIP: 0010:sock_net include/net/sock.h:649 [inline]\nRIP: 0010:raw_get_next net/ipv4/raw.c:974 [inline]\nRIP: 0010:raw_get_idx net/ipv4/raw.c:986 [inline]\nRIP: 0010:raw_seq_start+0x431/0x800 net/ipv4/raw.c:995\nCode: ef e8 33 3d 94 f7 49 8b 6d 00 4c 89 ef e8 b7 65 5f f7 49 89 ed 49 83 c5 98 0f 84 9a 00 00 00 48 83 c5 c8 48 89 e8 48 c1 e8 03 \u003c42\u003e 80 3c 30 00 74 08 48 89 ef e8 00 3d 94 f7 4c 8b 7d 00 48 89 ef\nRSP: 0018:ffffc9001154f9b0 EFLAGS: 00010206\nRAX: 0000000000000005 RBX: 1ffff1100302c8fd RCX: 0000000000000000\nRDX: 0000000000000028 RSI: ffffc9001154f988 RDI: ffffc9000f77a338\nRBP: 0000000000000029 R08: ffffffff8a50ffb4 R09: fffffbfff24b6bd9\nR10: fffffbfff24b6bd9 R11: 0000000000000000 R12: ffff88801db73b78\nR13: fffffffffffffff9 R14: dffffc0000000000 R15: 0000000000000030\nFS:  00007f843ae8e700(0000) GS:ffff888063700000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055bb9614b35f CR3: 000000003c672000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n seq_read_iter+0x4c6/0x10f0 fs/seq_file.c:225\n seq_read+0x224/0x320 fs/seq_file.c:162\n pde_read fs/proc/inode.c:316 [inline]\n proc_reg_read+0x23f/0x330 fs/proc/inode.c:328\n vfs_read+0x31e/0xd30 fs/read_write.c:468\n ksys_pread64 fs/read_write.c:665 [inline]\n __do_sys_pread64 fs/read_write.c:675 [inline]\n __se_sys_pread64 fs/read_write.c:672 [inline]\n __x64_sys_pread64+0x1e9/0x280 fs/read_write.c:672\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x478d29\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f843ae8dbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000011\nRAX: ffffffffffffffda RBX: 0000000000791408 RCX: 0000000000478d29\nRDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000003\nRBP: 00000000f477909a R08: 0000000000000000 R09: 0000000000000000\nR10: 000010000000007f R11: 0000000000000246 R12: 0000000000791740\nR13: 0000000000791414 R14: 0000000000791408 R15: 00007ffc2eb48a50\n \u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010\n---truncated---"
    }
  ],
  "id": "CVE-2023-53198",
  "lastModified": "2025-09-15T15:22:27.090",
  "metrics": {},
  "published": "2025-09-15T14:15:42.223",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0a78cf7264d29abeca098eae0b188a10aabc8a32"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/67daeaecd70ef20ab540c21739d3f633734967a1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b34056bedf04d08ef24f713a7f93bad1274a838d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.