CVE-2023-52986

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-52986

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52986.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-52986

Related

UBUNTU-CVE-2023-52986

Published

2025-03-27T17:15:45Z

Modified

2025-03-28T18:50:32.818489Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Check for any of tcpbpfprots when cloning a listener

A listening socket linked to a sockmap has its skprot overridden. It points to one of the struct proto variants in tcpbpf_prots. The variant depends on the socket's family and which sockmap programs are attached.

A child socket cloned from a TCP listener initially inherits their skprot. But before cloning is finished, we restore the child's proto to the listener's original non-tcpbpfprots one. This happens in tcpcreateopenreqchild -> tcpbpfclone.

Today, in tcpbpfclone we detect if the child's proto should be restored by checking only for the TCPBPFBASE proto variant. This is not correct. The skprot of listening socket linked to a sockmap can point to to any variant in tcpbpf_prots.

If the listeners skprot happens to be not the TCPBPFBASE variant, then the child socket unintentionally is left if the inherited skprot by tcpbpfclone.

This leads to issues like infinite recursion on close [1], because the child state is otherwise not set up for use with tcpbpfprot operations.

Adjust the check in tcpbpfclone to detect all of tcpbpfprots variants.

Note that it wouldn't be sufficient to check the socket state when overriding the skprot in tcpbpfupdateproto in order to always use the TCPBPFBASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCPLISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AFUNSPEC) -> listen().

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.178-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}