CVE-2023-53836

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw related to a race condition in the sockmap functionality involving skb (socket buffer) reference counts. Specifically, a race can occur where skbs from the sk psock backlog can be referenced after userspace has already consumed and freed the sk buff, leading to a use-after-free condition. The issue arises when an application reads a message from the ingress queue and then frees the associated skb, while the backlog queue still holds a reference to it and attempts to dequeue it. The sk psock queue msg() function places messages on the ingress queue, which applications read via recvmsg(). The recvmsg hook then reads msg->skb and calls consume skb() to free the skb. The race occurs if skb dequeue() happens after the user frees the skb. The fix involves adding skb get() before enqueuing the skb to increment the skb->users reference count, ensuring the skb remains valid during the dequeue operation. The kfree skb() function is then called to decrement the reference count or free the skb in the backlog case.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.