CVE-2023-4622: Critical Use-After-Free Vulnerability in Linux Kernel's af_unix Component

A critical use-after-free vulnerability (CVE-2023-4622) has been discovered in the af_unix component of the Linux kernel. This vulnerability can be exploited by an attacker to achieve local privilege escalation, potentially compromising the security of the entire system. In this post, we'll discuss the details of this vulnerability, provide a code snippet to demonstrate the issue, and discuss ways to mitigate the risk.

Exploit Details

The vulnerability exists in the unix_stream_sendpage() function, which is responsible for sending data through a UNIX domain socket. This function tries to add data to the last skb (socket buffer) in the receiving peer's queue without properly locking the queue. As a result, there exists a race condition where unix_stream_sendpage() might access an skb that has been released by the garbage collection process, leading to a use-after-free situation.

The following code snippet demonstrates the problematic section in the unix_stream_sendpage() function:

static int unix_stream_sendpage(struct socket *sock, struct page *page,
				int offset, size_t size, int flags)
{
	// ...

	while (size > ) {
		// ...

		spin_lock(&sk->sk_receive_queue.lock);
		skb = skb_peek_tail(&sk->sk_receive_queue);
		if (skb && skb_tailroom(skb) >= chunk)
			err = skb_add_data(skb, from, chunk);
		spin_unlock(&sk->sk_receive_queue.lock);

		// ...
	}

	// ...
}

Here, the function attempts to add data to the last skb in the receiving peer's queue (using skb_add_data()), starting from the tail of the queue. However, since the queue is not locked properly, there is a chance that the skb might be released by another operation, such as garbage collection, resulting in use-after-free.

Original References

For more details about this vulnerability, you can refer to the original discussion on the Linux Kernel Mailing list:

- [PATCH net] af_unix: Fix use-after-free in unix_stream_sendpage (https://lore.kernel.org/netdev/20230114235928.223495-1-herbert@gondor.apana.org.au/)

Mitigation

To address this vulnerability, it is recommended to upgrade your Linux kernel to a version that includes the fix for this issue. The fix is available in commit 790c2f9d15b594350ae9bca7b236f2b1859de02c and can be found in the following repository:

- Linux Kernel Git Repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

We recommend applying the latest patches and keeping your Linux kernel up to date to ensure the security of your system.

Conclusion

The CVE-2023-4622 vulnerability in the Linux kernel's af_unix component is a serious threat, as it can lead to local privilege escalation. By understanding how this vulnerability can be exploited and taking the recommended steps to patch your system, you can protect your organization from potential security breaches.

Timeline

Published on: 09/06/2023 14:15:12 UTC
Last modified on: 10/29/2023 02:43:44 UTC