Acknowledged
Created: Jul 8, 2025
Updated: Jul 10, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]af_unix: Don't leave consecutive consumed OOB skbs.[EOL][EOL]Jann Horn reported a use-after-free in unix_stream_read_generic().[EOL][EOL]The following sequences reproduce the issue:[EOL][EOL] $ python3[EOL] from socket import *[EOL] s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)[EOL] s1.send(b'x', MSG_OOB)[EOL] s2.recv(1, MSG_OOB) # leave a consumed OOB skb[EOL] s1.send(b'y', MSG_OOB)[EOL] s2.recv(1, MSG_OOB) # leave a consumed OOB skb[EOL] s1.send(b'z', MSG_OOB)[EOL] s2.recv(1) # recv 'z' illegally[EOL] s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)[EOL][EOL]Even though a user reads OOB data, the skb holding the data stays on[EOL]the recv queue to mark the OOB boundary and break the next recv().[EOL][EOL]After the last send() in the scenario above, the sk2's recv queue has[EOL]2 leading consumed OOB skbs and 1 real OOB skb.[EOL][EOL]Then, the following happens during the next recv() without MSG_OOB[EOL][EOL] 1. unix_stream_read_generic() peeks the first consumed OOB skb[EOL] 2. manage_oob() returns the next consumed OOB skb[EOL] 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb[EOL] 4. unix_stream_read_generic() reads and frees the OOB skb[EOL][EOL], and the last recv(MSG_OOB) triggers KASAN splat.[EOL][EOL]The 3. above occurs because of the SO_PEEK_OFF code, which does not[EOL]expect unix_skb_len(skb) to be 0, but this is true for such consumed[EOL]OOB skbs.[EOL][EOL] while (skip >= unix_skb_len(skb)) {[EOL] skip -= unix_skb_len(skb);[EOL] skb = skb_peek_next(skb, &sk->sk_receive_queue);[EOL] ...[EOL] }[EOL][EOL]In addition to this use-after-free, there is another issue that[EOL]ioctl(SIOCATMARK) does not function properly with consecutive consumed[EOL]OOB skbs.[EOL][EOL]So, nothing good comes out of such a situation.[EOL][EOL]Instead of complicating manage_oob(), ioctl() handling, and the next[EOL]ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,[EOL]let's not leave such consecutive OOB unnecessarily.[EOL][EOL]Now, while receiving an OOB skb in unix_stream_recv_urg(), if its[EOL]previous skb is a consumed OOB skb, it is freed.[EOL][EOL][0]:[EOL]BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)[EOL]Read of size 4 at addr ffff888106ef2904 by task python3/315[EOL][EOL]CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014[EOL]Call Trace:[EOL] <TASK>[EOL] dump_stack_lvl (lib/dump_stack.c:122)[EOL] print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)[EOL] kasan_report (mm/kasan/report.c:636)[EOL] unix_stream_read_actor (net/unix/af_unix.c:3027)[EOL] unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)[EOL] unix_stream_recvmsg (net/unix/af_unix.c:3048)[EOL] sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))[EOL] __sys_recvfrom (net/socket.c:2278)[EOL] __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))[EOL] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))[EOL] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)[EOL]RIP: 0033:0x7f8911fcea06[EOL]Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08[EOL]RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d[EOL]RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06[EOL]RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006[EOL]RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000[EOL]R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20[EOL]R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000[EOL] </TASK>[EOL][EOL]Allocated by task 315:[EOL] kasan_save_stack (mm/kasan/common.c:48)[EOL] kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))[EOL] __kasan_slab_alloc (mm/kasan/common.c:348)[EOL] kmem_cache_alloc_[EOL]---truncated---
CREATE(Triage):(User=admin) [CVE-2025-38236 (https://nvd.nist.gov/vuln/detail/CVE-2025-38236)
