DEBIAN-CVE-2023-53781
- Source
- https://security-tracker.debian.org/tracker/CVE-2023-53781
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53781.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-53781
- Upstream
- Published
- 2025-12-09T01:16:49.280Z
- Modified
- 2025-12-10T10:17:28.305912Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcpwritetimerhandler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcpwritetimerhandler() by kernel TCP sockets. [0] If SMC creates a kernel socket in _smccreate(), the kernel socket is supposed to be freed in smcclcsockrelease() by calling sockrelease() when we close() the parent SMC socket. However, at the end of smcclcsockrelease(), the kernel socket's skstate might not be TCPCLOSE. This means that we have not called inetcskdestroysock() in _tcpclose() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcpsubflowcreatesocket(). [0]: leaked reference. skalloc (./include/net/netnamespace.h:335 net/core/sock.c:2108) inetcreate (net/ipv4/afinet.c:319 net/ipv4/afinet.c:244) _sockcreate (net/socket.c:1546) smccreate (net/smc/afsmc.c:3269 net/smc/afsmc.c:3284) _sockcreate (net/socket.c:1546) _syssocket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) _x64syssocket (net/socket.c:1672) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:107) printreport (mm/kasan/report.c:320 mm/kasan/report.c:430) kasanreport (mm/kasan/report.c:538) tcpwritetimerhandler (net/ipv4/tcptimer.c:378 net/ipv4/tcptimer.c:624 net/ipv4/tcptimer.c:594) tcpwritetimer (./include/linux/spinlock.h:390 net/ipv4/tcptimer.c:643) calltimerfn (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) _runtimers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) runtimersoftirq (kernel/time/timer.c:2037) _dosoftirq (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) _irqexitrcu (kernel/softirq.c:445 kernel/softirq.c:650) irqexitrcu (kernel/softirq.c:664) sysvecapictimer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source