2237760 – (CVE-2023-4622) CVE-2023-4622 kernel: use after free in unix_stream_sendpage

Bug 2237760 (CVE-2023-4622) - CVE-2023-4622 kernel: use after free in unix_stream_sendpage [NEEDINFO]

Summary: CVE-2023-4622 kernel: use after free in unix_stream_sendpage

Keywords:
Status:	NEW
Alias:	CVE-2023-4622
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2230094 (view as bug list)
Depends On:	2233137 2233138 2233139 2233140 2233141 2233142 2233143 2233144 2233145 2233146 2233147 2233148 2233150 2233151 2233153 2233154 2233156 2233157 2233163 2237936 2237937
Blocks:	2230092 2237762
TreeView+	depends on / blocked

Reported:	2023-09-06 18:17 UTC by juneau
Modified:	2023-11-30 10:35 UTC (History)
CC List:	46 users (show)
Fixed In Version:	Kernel 6.4.12
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel's af_unix component that allows local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. This issue leads to a race condition where the unix_stream_sendpage() function could access a skb that is being released by garbage collection, resulting in a use-after-free issue.
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	joe.lawrence: needinfo? (allarkin)

Attachments	(Terms of Use)

Description juneau 2023-09-06 18:17:18 UTC

A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.

The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.

We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=790c2f9d15b594350ae9bca7b236f2b1859de02c
https://kernel.dance/790c2f9d15b594350ae9bca7b236f2b1859de02c

Comment 1 Rohit Keshri 2023-09-07 19:37:03 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2237936]

Comment 2 Rohit Keshri 2023-09-07 19:37:15 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2237937]

Comment 7 Justin M. Forbes 2023-09-08 16:31:19 UTC

This was fixed for Fedora with the 6.4.12 stable kernel updates.

Comment 8 Alex 2023-10-12 15:07:07 UTC

*** Bug 2230094 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
cye
dbohanno
debarbos
dfreiber
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jpoimboe
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
rkeshri
rogbas
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
tglozar
tyberry
vkumar
walters
wcosta
williams
wmealing
ycote
ykopkova
zhijwang