CVE-2023-53023

Fix a use-after-free that occurs in kfreeskb() called from localcleanup(). This could happen when killing nfc daemon (e.g. neard) after detaching an nfc device. When detaching an nfc device, localcleanup() called from nfcllcpunregisterdevice() frees local->rxpending and decreases local->ref by krefput() in nfcllcplocalput(). In the terminating process, nfc daemon releases all sockets and it leads to decreasing local->ref. After the last release of local->ref, localcleanup() called from localrelease() frees local->rxpending again, which leads to the bug.

Setting local->rxpending to NULL in localcleanup() could prevent use-after-free when local_cleanup() is called twice.

Found by a modified version of syzkaller.

BUG: KASAN: use-after-free in kfree_skb()

Call Trace: dumpstacklvl (lib/dumpstack.c:106) printaddressdescription.constprop.0.cold (mm/kasan/report.c:306) kasancheckrange (mm/kasan/generic.c:189) kfreeskb (net/core/skbuff.c:955) localcleanup (net/nfc/llcpcore.c:159) nfcllcplocalput.part.0 (net/nfc/llcpcore.c:172) nfcllcplocalput (net/nfc/llcpcore.c:181) llcpsockdestruct (net/nfc/llcp_sock.c:959) __skdestruct (net/core/sock.c:2133) skdestruct (net/core/sock.c:2181) __skfree (net/core/sock.c:2192) skfree (net/core/sock.c:2203) llcpsockrelease (net/nfc/llcp_sock.c:646) __sockrelease (net/socket.c:650) sockclose (net/socket.c:1365) _fput (fs/filetable.c:306) taskworkrun (kernel/taskwork.c:179) ptracenotify (kernel/signal.c:2354) syscallexittousermodeprepare (kernel/entry/common.c:278) syscallexittousermode (kernel/entry/common.c:296) dosyscall64 (arch/x86/entry/common.c:86) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:106)

Allocated by task 4719: kasansavestack (mm/kasan/common.c:45) __kasanslaballoc (mm/kasan/common.c:325) slabpostallochook (mm/slab.h:766) kmemcacheallocnode (mm/slub.c:3497) __allocskb (net/core/skbuff.c:552) pn533recv_response (drivers/nfc/pn533/usb.c:65) __usbhcdgivebackurb (drivers/usb/core/hcd.c:1671) usbgivebackurbbh (drivers/usb/core/hcd.c:1704) taskletactioncommon.isra.0 (kernel/softirq.c:797) _dosoftirq (kernel/softirq.c:571)

Freed by task 1901: kasansavestack (mm/kasan/common.c:45) kasansettrack (mm/kasan/common.c:52) kasansavefree_info (mm/kasan/genericdd.c:518) __kasanslabfree (mm/kasan/common.c:236) kmemcachefree (mm/slub.c:3809) kfreeskbmem (net/core/skbuff.c:874) kfreeskb (net/core/skbuff.c:931) localcleanup (net/nfc/llcpcore.c:159) nfcllcpunregisterdevice (net/nfc/llcpcore.c:1617) nfcunregisterdevice (net/nfc/core.c:1179) pn53xunregisternfc (drivers/nfc/pn533/pn533.c:2846) pn533usbdisconnect (drivers/nfc/pn533/usb.c:579) usbunbindinterface (drivers/usb/core/driver.c:458) devicereleasedriverinternal (drivers/base/dd.c:1279) busremovedevice (drivers/base/bus.c:529) devicedel (drivers/base/core.c:3665) usbdisabledevice (drivers/usb/core/message.c:1420) usbdisconnect (drivers/usb/core.c:2261) hubevent (drivers/usb/core/hub.c:5833) processonework (arch/x86/include/asm/jumplabel.h:27 include/linux/jumplabel.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) workerthread (include/linux/list.h:282 kernel/workqueue.c:2423) kthread (kernel/kthread.c:319) retfromfork (arch/x86/entry/entry64.S:301)

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53023.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3536da06db0baa675f32de608c0a4c0f5ef0e9ff

Fixed

b09ae26f08aaf2d85f96ea7f90ddd3387f62216f

Fixed

54f7be61584b8ec4c6df405f479495b9397bae4a

Fixed

a59cdbda3714e11aa3ab579132864c4c8c6d54f9

Fixed

ad1baab3a5c03692d22ce446f38596a126377f6a

Fixed

7f129927feaf7c10b1c38bbce630172e9a08c834

Fixed

d3605282ec3502ec8847915eb2cf1f340493ff79

Fixed

4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53023.json"