CVE-2023-52842 in Linux
Summary
by MITRE • 05/21/2024
In the Linux kernel, the following vulnerability has been resolved:
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
KMSAN reported the following uninit-value access issue:
===================================================== BUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Uninit was stored to memory at: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]
virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Uninit was created at: slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline]
virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]
virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]
virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: vsock-loopback vsock_loopback_work =====================================================
The following simple reproducer can cause the issue described above:
int main(void) {
int sock; struct sockaddr_vm addr = {
.svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, };
sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; }
This issue occurs because the `buf_alloc` and `fwd_cnt` fields of the `struct virtio_vsock_hdr` are not initialized when a new skb is allocated in `virtio_transport_init_hdr()`. This patch resolves the issue by initializing these fields during allocation.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/31/2024
The vulnerability identified as CVE-2023-52842 represents a critical uninitialized memory access flaw within the Linux kernel's virtio virtual socket implementation. This issue manifests in the virtio_transport_recv_pkt function where KMSAN static analysis detected an uninitialized value being read from memory, specifically at line 1421 of net/vmw_vsock/virtio_transport_common.c. The vulnerability stems from the improper initialization of fields within the virtio_vsock_hdr structure during socket buffer allocation, creating a potential pathway for information disclosure or system instability. The flaw occurs during normal virtio vsock operation when handling loopback work processing through the kernel's workqueue subsystem, making it particularly concerning for systems utilizing virtualized networking environments.
The technical root cause lies in the virtio_transport_init_hdr function where the buf_alloc and fwd_cnt fields of struct virtio_vsock_hdr are not properly initialized when new socket buffers are allocated through virtio_vsock_alloc_skb. This uninitialized memory access pattern creates a scenario where sensitive data from previous allocations could be inadvertently exposed or where the kernel's memory management could be corrupted. The call stack demonstrates this issue propagates through multiple kernel subsystems including the workqueue processing, kthread execution, and socket buffer allocation mechanisms, indicating a complex interaction between different kernel components. The specific memory allocation path shows that the uninitialized values originate from slab allocator hooks and propagate through kmalloc_reserve, __alloc_skb, and ultimately to the virtio_transport_alloc_skb function where the header structure is initialized without proper field initialization.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to extract sensitive information from kernel memory through carefully crafted vsock connections. The flaw affects systems running Linux kernels with virtio vsock support, particularly those utilizing virtualized environments where the vsock loopback mechanism is active. Attackers could exploit this vulnerability to gain insights into kernel memory layout, potentially aiding in more sophisticated exploitation techniques. The vulnerability's presence in the loopback processing path means that even benign vsock operations could trigger the uninitialized memory access, making it difficult to detect and mitigate. This issue directly relates to CWE-457: Use of Uninitialized Variable and aligns with ATT&CK technique T1059.006: Command and Scripting Interpreter: Python, where an attacker might leverage such memory corruption for privilege escalation or information gathering.
The fix implemented addresses the core issue by ensuring proper initialization of the buf_alloc and fwd_cnt fields within the virtio_vsock_hdr structure during allocation. This patch maintains kernel memory safety by preventing the read of uninitialized values that could contain sensitive data or garbage values. The remediation approach follows established kernel security practices by ensuring all structure fields are properly initialized before use, preventing potential information leaks that could aid in bypassing kernel security mitigations. Organizations should prioritize applying this patch to all systems running affected kernel versions, particularly those operating virtualized environments where virtio vsock functionality is utilized. The vulnerability's classification as a memory safety issue underscores the importance of comprehensive kernel memory validation and the need for continuous security auditing of kernel subsystems handling virtualized networking components.