| Message ID | 20230913214400.66802-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-4622 | expand |
On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's af_unix component can > be exploited to achieve local privilege escalation. The > unix_stream_sendpage() function tries to add data to the last skb in the > peer's recv queue without locking the queue. Thus there is a race where > unix_stream_sendpage() could access an skb locklessly that is being > released by garbage collection, resulting in use-after-free. We recommend > upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. > > [Backport] > Backported from stable/linux-6.1.y tree; it is a clean cherry pick. > Though this is said in the commit message, I think it is important to explain why this was picked from a stable release. sendpage got some refactoring during 6.5 development and so this issue does not affect mainline. So upstream applied a fix on the stable releases to avoid backporting that refactoring. Cascardo. > [Test] > Smoke tested via building an AF_UNIX echo server and connecting to it. > > [Potential Regression] > Expect very low regression. > This could regress sendpage on unix sockets. The smoke test could be improved by doing some sendfile on the socket. > Kuniyuki Iwashima (1): > af_unix: Fix null-ptr-deref in unix_stream_sendpage(). > > net/unix/af_unix.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote: > On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote: >> [Impact] >> A use-after-free vulnerability in the Linux kernel's af_unix component can >> be exploited to achieve local privilege escalation. The >> unix_stream_sendpage() function tries to add data to the last skb in the >> peer's recv queue without locking the queue. Thus there is a race where >> unix_stream_sendpage() could access an skb locklessly that is being >> released by garbage collection, resulting in use-after-free. We recommend >> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. >> >> [Backport] >> Backported from stable/linux-6.1.y tree; it is a clean cherry pick. >> > Though this is said in the commit message, I think it is important to explain > why this was picked from a stable release. sendpage got some refactoring during > 6.5 development and so this issue does not affect mainline. > > So upstream applied a fix on the stable releases to avoid backporting that > refactoring. > > Cascardo. > >> [Test] >> Smoke tested via building an AF_UNIX echo server and connecting to it. >> >> [Potential Regression] >> Expect very low regression. >> > This could regress sendpage on unix sockets. The smoke test could be improved > by doing some sendfile on the socket. Now smoke tested again with sendfile() (which eventually triggers the modified unix_stream_sendpage()). > >> Kuniyuki Iwashima (1): >> af_unix: Fix null-ptr-deref in unix_stream_sendpage(). >> >> net/unix/af_unix.c | 9 ++++----- >> 1 file changed, 4 insertions(+), 5 deletions(-) >> >> -- >> 2.34.1 >> >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 15.09.23 00:13, Yuxuan Luo wrote: > > On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote: >> On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote: >>> [Impact] >>> A use-after-free vulnerability in the Linux kernel's af_unix >>> component can >>> be exploited to achieve local privilege escalation. The >>> unix_stream_sendpage() function tries to add data to the last skb in the >>> peer's recv queue without locking the queue. Thus there is a race where >>> unix_stream_sendpage() could access an skb locklessly that is being >>> released by garbage collection, resulting in use-after-free. We >>> recommend >>> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. >>> >>> [Backport] >>> Backported from stable/linux-6.1.y tree; it is a clean cherry pick. >>> >> Though this is said in the commit message, I think it is important to >> explain >> why this was picked from a stable release. sendpage got some >> refactoring during >> 6.5 development and so this issue does not affect mainline. >> >> So upstream applied a fix on the stable releases to avoid backporting >> that >> refactoring. >> >> Cascardo. >> >>> [Test] >>> Smoke tested via building an AF_UNIX echo server and connecting to it. >>> >>> [Potential Regression] >>> Expect very low regression. >>> >> This could regress sendpage on unix sockets. The smoke test could be >> improved >> by doing some sendfile on the socket. > > Now smoke tested again with sendfile() (which eventually triggers the > modified unix_stream_sendpage()). Is that good or bad? -Stefan > >> >>> Kuniyuki Iwashima (1): >>> af_unix: Fix null-ptr-deref in unix_stream_sendpage(). >>> >>> net/unix/af_unix.c | 9 ++++----- >>> 1 file changed, 4 insertions(+), 5 deletions(-) >>> >>> -- >>> 2.34.1 >>> >>> >>> -- >>> kernel-team mailing list >>> kernel-team@lists.ubuntu.com >>> https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 9/15/23 04:14, Stefan Bader wrote: > On 15.09.23 00:13, Yuxuan Luo wrote: >> >> On 9/13/23 18:03, Thadeu Lima de Souza Cascardo wrote: >>> On Wed, Sep 13, 2023 at 05:43:59PM -0400, Yuxuan Luo wrote: >>>> [Impact] >>>> A use-after-free vulnerability in the Linux kernel's af_unix >>>> component can >>>> be exploited to achieve local privilege escalation. The >>>> unix_stream_sendpage() function tries to add data to the last skb >>>> in the >>>> peer's recv queue without locking the queue. Thus there is a race >>>> where >>>> unix_stream_sendpage() could access an skb locklessly that is being >>>> released by garbage collection, resulting in use-after-free. We >>>> recommend >>>> upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. >>>> >>>> [Backport] >>>> Backported from stable/linux-6.1.y tree; it is a clean cherry pick. >>>> >>> Though this is said in the commit message, I think it is important >>> to explain >>> why this was picked from a stable release. sendpage got some >>> refactoring during >>> 6.5 development and so this issue does not affect mainline. >>> >>> So upstream applied a fix on the stable releases to avoid >>> backporting that >>> refactoring. >>> >>> Cascardo. >>> >>>> [Test] >>>> Smoke tested via building an AF_UNIX echo server and connecting to it. >>>> >>>> [Potential Regression] >>>> Expect very low regression. >>>> >>> This could regress sendpage on unix sockets. The smoke test could be >>> improved >>> by doing some sendfile on the socket. >> >> Now smoke tested again with sendfile() (which eventually triggers the >> modified unix_stream_sendpage()). > > Is that good or bad? > > -Stefan Test results came out good: the sendfile() worked as intended. > >> >>> >>>> Kuniyuki Iwashima (1): >>>> af_unix: Fix null-ptr-deref in unix_stream_sendpage(). >>>> >>>> net/unix/af_unix.c | 9 ++++----- >>>> 1 file changed, 4 insertions(+), 5 deletions(-) >>>> >>>> -- >>>> 2.34.1 >>>> >>>> >>>> -- >>>> kernel-team mailing list >>>> kernel-team@lists.ubuntu.com >>>> https://lists.ubuntu.com/mailman/listinfo/kernel-team >> >
On 13.09.23 23:43, Yuxuan Luo wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's af_unix component can > be exploited to achieve local privilege escalation. The > unix_stream_sendpage() function tries to add data to the last skb in the > peer's recv queue without locking the queue. Thus there is a race where > unix_stream_sendpage() could access an skb locklessly that is being > released by garbage collection, resulting in use-after-free. We recommend > upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. > > [Backport] > Backported from stable/linux-6.1.y tree; it is a clean cherry pick. > > [Test] > Smoke tested via building an AF_UNIX echo server and connecting to it. > > [Potential Regression] > Expect very low regression. > > Kuniyuki Iwashima (1): > af_unix: Fix null-ptr-deref in unix_stream_sendpage(). > > net/unix/af_unix.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 13/09/2023 23:43, Yuxuan Luo wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's af_unix component can > be exploited to achieve local privilege escalation. The > unix_stream_sendpage() function tries to add data to the last skb in the > peer's recv queue without locking the queue. Thus there is a race where > unix_stream_sendpage() could access an skb locklessly that is being > released by garbage collection, resulting in use-after-free. We recommend > upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. > > [Backport] > Backported from stable/linux-6.1.y tree; it is a clean cherry pick. > > [Test] > Smoke tested via building an AF_UNIX echo server and connecting to it. > > [Potential Regression] > Expect very low regression. > > Kuniyuki Iwashima (1): > af_unix: Fix null-ptr-deref in unix_stream_sendpage(). > > net/unix/af_unix.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > Applied to focal,jammy,lunar:master-next. Thanks! Roxana