From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B30F2E611B for ; Wed, 1 Oct 2025 11:57:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759319878; cv=none; b=F+pdL8fa4N8rFYAdf9vZOFVLQZ8i4KOGMmufQAjspLYBPfd0KH9F7ujJN2rszQAMcbOAYETEKu4vec5FCOLvkBr4AdbY/MPPmgC4Sp+Ka6HGlSV3CdYM4qOZDW/SWWjNHCZXj4dGeI2PKM2IOlOgZKltzJEkLt15TVV+3jSNX0I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759319878; c=relaxed/simple; bh=dnFR4FGPA96vASM5CsfCnCv6udyxZkPOfVldhO5KLdg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CTXM/u5Znz2vvZ35u07msIiEyJhyIWjrRJhB9nJcuqhEO7/Li/JyNG+xhLA+IY0oyNFVoeHG0YsSgEou6mJOBh6yDEn+sKOT7aCYVF7iQfNBDf1tnCPo0tfr42Rp3RHV+lAZhN3DcEc3iLlUbeh9xDxq6450sRhFvGf5iMaoh7U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=a/RUMDxI; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="a/RUMDxI" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2FA67C4CEF4; Wed, 1 Oct 2025 11:57:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1759319877; bh=dnFR4FGPA96vASM5CsfCnCv6udyxZkPOfVldhO5KLdg=; h=From:To:Cc:Subject:Date:Reply-to:From; b=a/RUMDxIaioJiOnYqOUE9F6TaoombOpAbnDPFDZef6Au+1WBtusQaBluA1IwgR9ek oQmVx4KkryssY9JriGWgVm2jZOYQZhKDgeIBvkH6H832icIdeb69arwNUwAKnlABfi ipko3eVgLCgpiBtq3omH+DJ6l5yPDXJX5m5uo1io= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-53489: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. Date: Wed, 1 Oct 2025 13:45:41 +0200 Message-ID: <2025100123-CVE-2023-53489-eec5@gregkh> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=8288; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=Bx11zWgLdQtEjNoJiA6+cmw6F7eeOHndgGqibGWkj2U=; b=owGbwMvMwCRo6H6F97bub03G02pJDBl3RYKFHhxI2B3l7PD92pMaVXe+1odM+1a/9PC9cKv5c WvLm3dhHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARnSCGBXPVJFR2eqe9Xt5z 4n693eT007aKaxnm2VZs6/rIs6Yma3v/29obOqv89x6aBwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY skbs. We can reproduce the problem with these sequences: sk = socket(AF_INET, SOCK_DGRAM, 0) sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE) sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1) sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53)) sk.close() sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct ubuf_info_msgzc indirectly holds a refcnt of the socket. When the skb is sent, __skb_tstamp_tx() clones it and puts the clone into the socket's error queue with the TX timestamp. When the original skb is received locally, skb_copy_ubufs() calls skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt. This additional count is decremented while freeing the skb, but struct ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is not called. The last refcnt is not released unless we retrieve the TX timestamped skb by recvmsg(). Since we clear the error queue in inet_sock_destruct() after the socket's refcnt reaches 0, there is a circular dependency. If we close() the socket holding such skbs, we never call sock_put() and leak the count, sk, and skb. TCP has the same problem, and commit e0c8bccd40fc ("net: stream: purge sk_error_queue in sk_stream_kill_queues()") tried to fix it by calling skb_queue_purge() during close(). However, there is a small chance that skb queued in a qdisc or device could be put into the error queue after the skb_queue_purge() call. In __skb_tstamp_tx(), the cloned skb should not have a reference to the ubuf to remove the circular dependency, but skb_clone() does not call skb_copy_ubufs() for zerocopy skb. So, we need to call skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs(). [0]: BUG: memory leak unreferenced object 0xffff88800c6d2d00 (size 1152): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083 [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline] [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245 [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515 [<00000000b9b11231>] sock_create net/socket.c:1566 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline] [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline] [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636 [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline] [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline] [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd BUG: memory leak unreferenced object 0xffff888017633a00 (size 240): comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m..... backtrace: [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497 [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline] [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596 [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline] [<00000000be626478>] msg_zerocopy_realloc+0x1ce/0x7f0 net/core/skbuff.c:1370 [<00000000cbfc9870>] __ip_append_data+0x2adf/0x3b30 net/ipv4/ip_output.c:1037 [<0000000089869146>] ip_make_skb+0x26c/0x2e0 net/ipv4/ip_output.c:1652 [<00000000098015c2>] udp_sendmsg+0x1bac/0x2390 net/ipv4/udp.c:1253 [<0000000045e0e95e>] inet_sendmsg+0x10a/0x150 net/ipv4/af_inet.c:819 [<000000008d31bfde>] sock_sendmsg_nosec net/socket.c:714 [inline] [<000000008d31bfde>] sock_sendmsg+0x141/0x190 net/socket.c:734 [<0000000021e21aa4>] __sys_sendto+0x243/0x360 net/socket.c:2117 [<00000000ac0af00c>] __do_sys_sendto net/socket.c:2129 [inline] [<00000000ac0af00c>] __se_sys_sendto net/socket.c:2125 [inline] [<00000000ac0af00c>] __x64_sys_sendto+0xe1/0x1c0 net/socket.c:2125 [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The Linux kernel CVE team has assigned CVE-2023-53489 to this issue. Affected and fixed versions =========================== Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 4.14.315 with commit 281072fb2a7294cde7acbf5375b879f40a8001b7 Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 4.19.283 with commit 1f69c086b20e27763af28145981435423f088268 Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 5.4.243 with commit 602fa8af44fd55a58f9e94eb673e8adad2c6cc46 Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 5.10.180 with commit 230a5ed7d813fb516de81d23f09d7506753e41e9 Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 5.15.111 with commit 43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 6.1.28 with commit cb52e7f24c1d01a536a847dff0d1d95889cc3b5c Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 6.2.15 with commit 30290f210ba7426ff7592fe2eb4114b1b5bad219 Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 6.3.2 with commit 426384dd4980040651536fef5feac4dcc4d7ee4e Issue introduced in 4.14 with commit f214f915e7db99091f1312c48b30928c1e0c90b7 and fixed in 6.4 with commit 50749f2dd6854a41830996ad302aef2ffaf011d8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53489 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/core/skbuff.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/281072fb2a7294cde7acbf5375b879f40a8001b7 https://git.kernel.org/stable/c/1f69c086b20e27763af28145981435423f088268 https://git.kernel.org/stable/c/602fa8af44fd55a58f9e94eb673e8adad2c6cc46 https://git.kernel.org/stable/c/230a5ed7d813fb516de81d23f09d7506753e41e9 https://git.kernel.org/stable/c/43e4197dd5f6b474a8b16f8b6a42cd45cf4f9d1a https://git.kernel.org/stable/c/cb52e7f24c1d01a536a847dff0d1d95889cc3b5c https://git.kernel.org/stable/c/30290f210ba7426ff7592fe2eb4114b1b5bad219 https://git.kernel.org/stable/c/426384dd4980040651536fef5feac4dcc4d7ee4e https://git.kernel.org/stable/c/50749f2dd6854a41830996ad302aef2ffaf011d8