In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
After the listener svc_sock is freed, and before invoking svc_tcp_accept()
for the established child sock, there is a window that the newsock
retaining a freed listener svc_sock in sk_user_data which cloning from
parent. In the race window, if data is received on the newsock, we will
observe use-after-free report in svc_tcp_listen_data_ready().
Reproduce by two tasks:
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure-5.4 | < any | UNKNOWN |
git.kernel.org/linus/fc80fc2d4e39137869da3150ee169b40bf879287 (6.5-rc1)
git.kernel.org/stable/c/42725e5c1b181b757ba11d804443922982334d9b
git.kernel.org/stable/c/7e1f989055622fd086c5dfb291fc72adf5660b6f
git.kernel.org/stable/c/c7b8c2d06e437639694abe76978e915cfb73f428
git.kernel.org/stable/c/cd5ec3ee52ce4b7e283cc11facfa420c297c8065
git.kernel.org/stable/c/dfc896c4a75cb8cd7cb2dfd9b469cf1e3f004254
git.kernel.org/stable/c/ef047411887ff0845afd642d6a687819308e1a4e
git.kernel.org/stable/c/fbf4ace39b2e4f3833236afbb2336edbafd75eee
git.kernel.org/stable/c/fc80fc2d4e39137869da3150ee169b40bf879287
launchpad.net/bugs/cve/CVE-2023-52885
nvd.nist.gov/vuln/detail/CVE-2023-52885
security-tracker.debian.org/tracker/CVE-2023-52885
www.cve.org/CVERecord?id=CVE-2023-52885