CVE-2023-53088 Information
Description
In the Linux kernel the following vulnerability has been resolved:
mptcp: fix UaF in listener shutdown
As reported by Christoph after having refactored the passive socket initialization the mptcp listener shutdown path is prone to an UaF issue.
BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0 Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266
CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 6
Hardware name: QEMU Standard PC (i440FX + PIIX 1996) BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
The msk grace period can legitly expire in between the last reference count dropped in mptcp_subflow_queue_clean() and the later eventual access in inet_csk_listen_stop()
After the previous patch we don’t need anymore special-casing msk listener socket cleanup: the mptcp worker will process each of the unaccepted msk sockets.
Just drop the now unnecessary code.
Please note this commit depends on the two parent ones:
mptcp: refactor passive socket initialization mptcp: use the workqueue to destroy unaccepted sockets
Reference
https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518 https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792
Share on: