cve/published/2023/CVE-2023-53136.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53136: af_unix: fix struct pid leaks in OOB support

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: fix struct pid leaks in OOB support

 syzbot reported struct pid leak [1].

 Issue is that queue_oob() calls maybe_add_creds() which potentially
 holds a reference on a pid.

 But skb->destructor is not set (either directly or by calling
 unix_scm_to_skb())

 This means that subsequent kfree_skb() or consume_skb() would leak
 this reference.

 In this fix, I chose to fully support scm even for the OOB message.

 [1]
 BUG: memory leak
 unreferenced object 0xffff8881053e7f80 (size 128):
 comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s)
 hex dump (first 32 bytes):
 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 backtrace:
 [<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
 [<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
 [<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
 [<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
 [<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 [<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 [<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

 The Linux kernel CVE team has assigned CVE-2023-53136 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 5.15.103 with commit f3969427fb06a2c3cd6efd7faab63505cfa76e76
 	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.1.20 with commit ac1968ac399205fda9ee3b18f7de7416cb3a5d0d
 	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.2.7 with commit a59d6306263c38e5c0592ea4451ca26a0778c947
 	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53136
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/af_unix.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f3969427fb06a2c3cd6efd7faab63505cfa76e76
 	https://git.kernel.org/stable/c/ac1968ac399205fda9ee3b18f7de7416cb3a5d0d
 	https://git.kernel.org/stable/c/a59d6306263c38e5c0592ea4451ca26a0778c947
 	https://git.kernel.org/stable/c/2aab4b96900272885bc157f8b236abf1cdc02e08
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53136: af_unix: fix struct pid leaks in OOB support

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: fix struct pid leaks in OOB support

	syzbot reported struct pid leak [1].

	Issue is that queue_oob() calls maybe_add_creds() which potentially
	holds a reference on a pid.

	But skb->destructor is not set (either directly or by calling
	unix_scm_to_skb())

	This means that subsequent kfree_skb() or consume_skb() would leak
	this reference.

	In this fix, I chose to fully support scm even for the OOB message.

	[1]
	BUG: memory leak
	unreferenced object 0xffff8881053e7f80 (size 128):
	comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s)
	hex dump (first 32 bytes):
	01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace:
	[<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
	[<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
	[<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
	[<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
	[<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	[<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
	[<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

	The Linux kernel CVE team has assigned CVE-2023-53136 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 5.15.103 with commit f3969427fb06a2c3cd6efd7faab63505cfa76e76
	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.1.20 with commit ac1968ac399205fda9ee3b18f7de7416cb3a5d0d
	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.2.7 with commit a59d6306263c38e5c0592ea4451ca26a0778c947
	Issue introduced in 5.15 with commit 314001f0bf927015e459c9d387d62a231fe93af3 and fixed in 6.3 with commit 2aab4b96900272885bc157f8b236abf1cdc02e08

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53136
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/af_unix.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f3969427fb06a2c3cd6efd7faab63505cfa76e76
	https://git.kernel.org/stable/c/ac1968ac399205fda9ee3b18f7de7416cb3a5d0d
	https://git.kernel.org/stable/c/a59d6306263c38e5c0592ea4451ca26a0778c947
	https://git.kernel.org/stable/c/2aab4b96900272885bc157f8b236abf1cdc02e08