{ "threat_severity" : "Low", "public_date" : "2025-10-04T00:00:00Z", "bugzilla" : { "description" : "kernel: bpf: reject unhashed sockets in bpf_sk_assign", "id" : "2401495", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401495" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: reject unhashed sockets in bpf_sk_assign\nThe semantics for bpf_sk_assign are as follows:\nsk = some_lookup_func()\nbpf_sk_assign(skb, sk)\nbpf_sk_release(sk)\nThat is, the sk is not consumed by bpf_sk_assign. The function\ntherefore needs to make sure that sk lives long enough to be\nconsumed from __inet_lookup_skb. The path through the stack for a\nTCPv4 packet is roughly:\nnetif_receive_skb_core: takes RCU read lock\n__netif_receive_skb_core:\nsch_handle_ingress:\ntcf_classify:\nbpf_sk_assign()\ndeliver_ptype_list_skb:\ndeliver_skb:\nip_packet_type->func == ip_rcv:\nip_rcv_core:\nip_rcv_finish_core:\ndst_input:\nip_local_deliver:\nip_local_deliver_finish:\nip_protocol_deliver_rcu:\ntcp_v4_rcv:\n__inet_lookup_skb:\nskb_steal_sock\nThe existing helper takes advantage of the fact that everything\nhappens in the same RCU critical section: for sockets with\nSOCK_RCU_FREE set bpf_sk_assign never takes a reference.\nskb_steal_sock then checks SOCK_RCU_FREE again and does sock_put\nif necessary.\nThis approach assumes that SOCK_RCU_FREE is never set on a sk\nbetween bpf_sk_assign and skb_steal_sock, but this invariant is\nviolated by unhashed UDP sockets. A new UDP socket is created\nin TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is only\nadded in udp_lib_get_port() which happens when a socket is bound.\nWhen bpf_sk_assign was added it wasn't possible to access unhashed\nUDP sockets from BPF, so this wasn't a problem. This changed\nin commit 0c48eefae712 (\"sock_map: Lift socket state restriction\nfor datagram sockets\"), but the helper wasn't adjusted accordingly.\nThe following sequence of events will therefore lead to a refcount\nleak:\n1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.\n2. Pull socket out of sockmap and bpf_sk_assign it. Since\nSOCK_RCU_FREE is not set we increment the refcount.\n3. bind() or connect() the socket, setting SOCK_RCU_FREE.\n4. skb_steal_sock will now set refcounted = false due to\nSOCK_RCU_FREE.\n5. tcp_v4_rcv() skips sock_put().\nFix the problem by rejecting unhashed sockets in bpf_sk_assign().\nThis matches the behaviour of __inet_lookup_skb which is ultimately\nthe goal of bpf_sk_assign().", "A reference counting flaw was found in the Linux kernel's BPF socket assignment helper when handling unhashed UDP sockets. When a BPF program assigns an unhashed UDP socket to a packet, the function increments the socket reference count assuming SOCK_RCU_FREE isn't set. However, subsequent bind or connect operations set this flag, causing the packet receive path to skip the reference decrement. This creates a permanent reference leak that prevents socket cleanup, leading to resource exhaustion and denial of service." ], "statement" : "The bpf_sk_assign helper allows BPF programs to redirect packets to specific sockets, a powerful feature for custom load balancing or packet steering. The helper was designed around an assumption: SOCK_RCU_FREE (which controls whether sockets can be freed after an RCU grace period without explicit reference counting) remains stable throughout the packet's lifetime. For most sockets this is true—the flag is set at socket creation. UDP sockets are different: they're created without SOCK_RCU_FREE, and this flag is only added later when they're bound to a port via udp_lib_get_port. Originally, BPF couldn't access unhashed (unbound) UDP sockets, so this wasn't an issue. That changed when sockmap restrictions were lifted. Now the following sequence creates a leak: put an unbound UDP socket in a sockmap, pull it out and bpf_sk_assign it (incrementing refcount because SOCK_RCU_FREE isn't set), bind the socket (setting SOCK_RCU_FREE), then when the packet reaches tcp_v4_rcv, skb_steal_sock sees SOCK_RCU_FREE and skips the sock_put. The fix rejects unhashed sockets in bpf_sk_assign.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-11-04T00:00:00Z", "advisory" : "RHSA-2020:4431", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-240.el8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53585\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53585\nhttps://lore.kernel.org/linux-cve-announce/2025100425-CVE-2023-53585-b855@gregkh/T" ], "name" : "CVE-2023-53585", "csaw" : false }