{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-14T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: SUNRPC: Fix UAF in svc_tcp_listen_data_ready()",
    "id" : "2297730",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297730"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nSUNRPC: Fix UAF in svc_tcp_listen_data_ready()\nAfter the listener svc_sock is freed, and before invoking svc_tcp_accept()\nfor the established child sock, there is a window that the newsock\nretaining a freed listener svc_sock in sk_user_data which cloning from\nparent. In the race window, if data is received on the newsock, we will\nobserve use-after-free report in svc_tcp_listen_data_ready().\nReproduce by two tasks:\n1. while :; do rpc.nfsd 0 ; rpc.nfsd; done\n2. while :; do echo \"\" | ncat -4 127.0.0.1 2049 ; done\nKASAN report:\n==================================================================\nBUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\nRead of size 8 at addr ffff888139d96228 by task nc/102553\nCPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n<IRQ>\ndump_stack_lvl+0x33/0x50\nprint_address_description.constprop.0+0x27/0x310\nprint_report+0x3e/0x70\nkasan_report+0xae/0xe0\nsvc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]\ntcp_data_queue+0x9f4/0x20e0\ntcp_rcv_established+0x666/0x1f60\ntcp_v4_do_rcv+0x51c/0x850\ntcp_v4_rcv+0x23fc/0x2e80\nip_protocol_deliver_rcu+0x62/0x300\nip_local_deliver_finish+0x267/0x350\nip_local_deliver+0x18b/0x2d0\nip_rcv+0x2fb/0x370\n__netif_receive_skb_one_core+0x166/0x1b0\nprocess_backlog+0x24c/0x5e0\n__napi_poll+0xa2/0x500\nnet_rx_action+0x854/0xc90\n__do_softirq+0x1bb/0x5de\ndo_softirq+0xcb/0x100\n</IRQ>\n<TASK>\n...\n</TASK>\nAllocated by task 102371:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0x7b/0x90\nsvc_setup_socket+0x52/0x4f0 [sunrpc]\nsvc_addsock+0x20d/0x400 [sunrpc]\n__write_ports_addfd+0x209/0x390 [nfsd]\nwrite_ports+0x239/0x2c0 [nfsd]\nnfsctl_transaction_write+0xac/0x110 [nfsd]\nvfs_write+0x1c3/0xae0\nksys_write+0xed/0x1c0\ndo_syscall_64+0x38/0x90\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nFreed by task 102551:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x50\n__kasan_slab_free+0x106/0x190\n__kmem_cache_free+0x133/0x270\nsvc_xprt_free+0x1e2/0x350 [sunrpc]\nsvc_xprt_destroy_all+0x25a/0x440 [sunrpc]\nnfsd_put+0x125/0x240 [nfsd]\nnfsd_svc+0x2cb/0x3c0 [nfsd]\nwrite_threads+0x1ac/0x2a0 [nfsd]\nnfsctl_transaction_write+0xac/0x110 [nfsd]\nvfs_write+0x1c3/0xae0\nksys_write+0xed/0x1c0\ndo_syscall_64+0x38/0x90\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nFix the UAF by simply doing nothing in svc_tcp_listen_data_ready()\nif state != TCP_LISTEN, that will avoid dereferencing svsk for all\nchild socket.", "A vulnerability was found in the Linux kernel's SUNRPC implementation in the svc_tcp_listen_data_ready() function, where the use-after-free vulnerability occurs when a listener socket is freed while a child socket retains a reference to it, leading to potential access of invalid memory." ],
  "statement" : "This vulnerability is rated as a moderate severity due to its potential to disrupt service through crashes where the use-after-free allows for exploitation under specific conditions.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5281",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.118.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5066",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.77.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-07T00:00:00Z",
    "advisory" : "RHSA-2024:5067",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.77.1.rt14.362.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52885\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52885\nhttps://lore.kernel.org/linux-cve-announce/2024071432-CVE-2023-52885-e934@gregkh/T" ],
  "name" : "CVE-2023-52885",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}