CVE-2023-53781
- Source
- https://cve.org/CVERecord?id=CVE-2023-53781
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53781.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53781
- Downstream
- Related
- Published
- 2025-12-09T00:00:36.831Z
- Modified
- 2026-03-25T08:44:13.013564Z
- Summary
- smc: Fix use-after-free in tcp_write_timer_handler().
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in tcpwritetimer_handler().
With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcpwritetimer_handler() by kernel TCP sockets. [0]
If SMC creates a kernel socket in __smccreate(), the kernel socket is supposed to be freed in smcclcsockrelease() by calling sockrelease() when we close() the parent SMC socket.
However, at the end of smcclcsockrelease(), the kernel socket's skstate might not be TCPCLOSE. This means that we have not called inetcskdestroy_sock() in _tcpclose() and have not stopped the TCP timers.
The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcpsubflowcreate_socket().
skalloc (./include/net/netnamespace.h:335 net/core/sock.c:2108) inetcreate (net/ipv4/afinet.c:319 net/ipv4/af_inet.c:244) __sockcreate (net/socket.c:1546) smccreate (net/smc/afsmc.c:3269 net/smc/afsmc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64syssocket (net/socket.c:1672) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:120)
BUG: KASAN: slab-use-after-free in tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091
CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:107) printreport (mm/kasan/report.c:320 mm/kasan/report.c:430) kasanreport (mm/kasan/report.c:538) tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) tcpwritetimer (./include/linux/spinlock.h:390 net/ipv4/tcptimer.c:643) calltimerfn (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __runtimers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) runtimer_softirq (kernel/time/timer.c:2037) __dosoftirq (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) _irqexitrcu (kernel/softirq.c:445 kernel/softirq.c:650) irqexitrcu (kernel/softirq.c:664) sysvecapictimerinterrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53781.json" }- References
-
- https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137
- https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53781.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53781
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git