CVE-2023-53204

In the Linux kernel, the following vulnerability has been resolved:

af_unix: Fix data-races around user->unix_inflight.

user->unix_inflight is changed under spin_lock(unix_gc_lock),
but too_many_unix_fds() reads it locklessly.

Let's annotate the write/read accesses to user->unix_inflight.

BUG: KCSAN: data-race in unix_attach_fds / unix_inflight

write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
 unix_inflight+0x157/0x180 net/unix/scm.c:66
 unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
 unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
 unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
 unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0x148/0x160 net/socket.c:748
 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
 __sys_sendmsg+0x94/0x140 net/socket.c:2577
 __do_sys_sendmsg net/socket.c:2586 [inline]
 __se_sys_sendmsg net/socket.c:2584 [inline]
 __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
 too_many_unix_fds net/unix/scm.c:101 [inline]
 unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
 unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
 unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
 unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
 unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0x148/0x160 net/socket.c:748
 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
 ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
 __sys_sendmsg+0x94/0x140 net/socket.c:2577
 __do_sys_sendmsg net/socket.c:2586 [inline]
 __se_sys_sendmsg net/socket.c:2584 [inline]
 __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

value changed: 0x000000000000000c -> 0x000000000000000d

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
VendorProductVersion
linuxlinux_kernel
3.2.78 ≤
𝑥
< 3.3
linuxlinux_kernel
3.10.96 ≤
𝑥
< 3.11
linuxlinux_kernel
3.12.57 ≤
𝑥
< 3.13
linuxlinux_kernel
3.14.60 ≤
𝑥
< 3.15
linuxlinux_kernel
3.18.27 ≤
𝑥
< 3.19
linuxlinux_kernel
4.1.17 ≤
𝑥
< 4.2
linuxlinux_kernel
4.3.5 ≤
𝑥
< 4.4
linuxlinux_kernel
4.4.1 ≤
𝑥
< 4.14.326
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.295
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.257
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.195
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.132
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.54
linuxlinux_kernel
6.2 ≤
𝑥
< 6.5.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.237-1
fixed
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.147-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.41-1
fixed
forky
6.16.3-1
fixed
sid
6.16.7-1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/03d133dfbcec9d439729cc64706c7eb6d1663a24
https://git.kernel.org/stable/c/0bc36c0650b21df36fbec8136add83936eaf0607
https://git.kernel.org/stable/c/9151ed4b006125cba7c06c79df504340ea4e9386
https://git.kernel.org/stable/c/ac92f239a079678a035c0faad9089354a874aede
https://git.kernel.org/stable/c/adcf4e069358cdee8593663650ea447215a1c49e
https://git.kernel.org/stable/c/b401d7e485b0a234cf8fe9a6ae99dbcd20863138
https://git.kernel.org/stable/c/b9cdbb38e030fc2fe97fe27b54cbb6b4fbff250f
https://git.kernel.org/stable/c/df97b5ea9f3ac9308c3a633524dab382cd59d9e5