CVE-2023-52885

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.3.0

Description The vulnerability is related to a use-after-free issue in the svc tcp listen data ready() function. This occurs when the listener svc sock is freed, and before invoking svc tcp accept() for the established child sock, there is a window where the newsock retains a freed listener svc sock in sk user data, which is cloned from the parent. If data is received on the newsock during this race window, a use-after-free report will be observed in svc tcp listen data ready(). The issue can be reproduced by running two tasks: while :; do rpc.nfsd 0 ; rpc.nfsd; done and while :; do echo "" | ncat -4 127.0.0.1 2049 ; done.

Recommendations To resolve the issue, apply the fix by doing nothing in svc tcp listen data ready() if the state is not TCP LISTEN, which will avoid dereferencing svsk for all child sockets. Update to a version of the Linux kernel that includes this fix, such as version 6.3.0 or later.