CVE-2023-52578
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: use DEV_STATS_INC() syzbot/KCSAN reported data-races in br_handle_frame_finish() [1] This function can run from multiple cpus without mutual exclusion. Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. Handles updates to dev->stats.tx_dropped while we are at it. [1] BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1: br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 br_nf_hook_thresh+0x1ed/0x220 br_nf_pre_routing_finish_ipv6+0x50f/0x540 NF_HOOK include/linux/netfilter.h:304 [inline] br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 __netif_receive_skb_one_core net/core/dev.c:5521 [inline] __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 process_backlog+0x21f/0x380 net/core/dev.c:5965 __napi_poll+0x60/0x3b0 net/core/dev.c:6527 napi_poll net/core/dev.c:6594 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6727 __do_softirq+0xc1/0x265 kernel/softirq.c:553 run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0: br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 br_nf_hook_thresh+0x1ed/0x220 br_nf_pre_routing_finish_ipv6+0x50f/0x540 NF_HOOK include/linux/netfilter.h:304 [inline] br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 __netif_receive_skb_one_core net/core/dev.c:5521 [inline] __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 process_backlog+0x21f/0x380 net/core/dev.c:5965 __napi_poll+0x60/0x3b0 net/core/dev.c:6527 napi_poll net/core/dev.c:6594 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6727 __do_softirq+0xc1/0x265 kernel/softirq.c:553 do_softirq+0x5e/0x90 kernel/softirq.c:454 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356 batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703 worker_thread+0x525/0x730 kernel/workqueue.c:2784 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 value changed: 0x00000000000d7190 -> 0x00000000000d7191 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
CVSS Metrics
- v3.1•HIGH•Score: 7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Techniques & Countermeasures
- CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Affected Systems
- linux•linux
≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < d2346e6beb699909ca455d9d20c4e577ce900839 | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < ad8d39c7b437fcdab7208a6a56c093d222c008d5 | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < 04cc361f029c14dd067ad180525c7392334c9bfd | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < 8bc97117b51d68d5cea8f5351cca2d8c4153f394 | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < 89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2 | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa | ≥ 1c29fc4989bc2a3838b2837adc12b8aeb0feeede, < 44bdb313da57322c9b3c108eb66981c6ec6509f4 | 2.6.17
- linux•linux_kernel
≥ 2.6.17, < 4.19.296 | ≥ 4.20, < 5.4.258 | ≥ 5.5, < 5.10.198 | ≥ 5.11, < 5.15.134 | ≥ 5.16, < 6.1.56 | ≥ 6.2, < 6.5.6 | 6.6:rc1 | 6.6:rc2
References (7)
- https://git.kernel.org/stable/c/d2346e6beb699909ca455d9d20c4e577ce900839
- https://git.kernel.org/stable/c/ad8d39c7b437fcdab7208a6a56c093d222c008d5
- https://git.kernel.org/stable/c/04cc361f029c14dd067ad180525c7392334c9bfd
- https://git.kernel.org/stable/c/8bc97117b51d68d5cea8f5351cca2d8c4153f394
- https://git.kernel.org/stable/c/89f9f20b1cbd36d99d5a248a4bf8d11d4fd049a2
- https://git.kernel.org/stable/c/f2ef4cb4d418fa64fe73eb84d10cc5c0e52e00fa
- https://git.kernel.org/stable/c/44bdb313da57322c9b3c108eb66981c6ec6509f4