GHSA-67C3-X939-573C

Vulnerability from github – Published: 2025-09-18 15:30 – Updated: 2025-12-11 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

KCSAN found an issue in obj_stock_flush_required(): stock->cached_objcg can be reset between the check and dereference:

================================================================== BUG: KCSAN: data-race in drain_all_stock / drain_obj_stock

write to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0: drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306 refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340 obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408 memcg_slab_free_hook mm/slab.h:587 [inline] __cache_free mm/slab.c:3373 [inline] __do_kmem_cache_free mm/slab.c:3577 [inline] kmem_cache_free+0x105/0x280 mm/slab.c:3602 __d_free fs/dcache.c:298 [inline] dentry_free fs/dcache.c:375 [inline] __dentry_kill+0x422/0x4a0 fs/dcache.c:621 dentry_kill+0x8d/0x1e0 dput+0x118/0x1f0 fs/dcache.c:913 __fput+0x3bf/0x570 fs/file_table.c:329 _fput+0x15/0x20 fs/filetable.c:349 task_work_run+0x123/0x160 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171 exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203 syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1: obj_stock_flush_required mm/memcontrol.c:3319 [inline] drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361 try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703 try_charge mm/memcontrol.c:2837 [inline] mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290 sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025 sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525 udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692 udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817 sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668 __sys_setsockopt+0x1c3/0x230 net/socket.c:2271 __do_sys_setsockopt net/socket.c:2282 [inline] __se_sys_setsockopt net/socket.c:2279 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffff8881382d52c0 -> 0xffff888138893740

Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Fix it by using READ_ONCE()/WRITE_ONCE() for all accesses to stock->cached_objcg.

Severity ?
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T14:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()\n\nKCSAN found an issue in obj_stock_flush_required():\nstock-\u003ecached_objcg can be reset between the check and dereference:\n\n==================================================================\nBUG: KCSAN: data-race in drain_all_stock / drain_obj_stock\n\nwrite to 0xffff888237c2a2f8 of 8 bytes by task 19625 on cpu 0:\n drain_obj_stock+0x408/0x4e0 mm/memcontrol.c:3306\n refill_obj_stock+0x9c/0x1e0 mm/memcontrol.c:3340\n obj_cgroup_uncharge+0xe/0x10 mm/memcontrol.c:3408\n memcg_slab_free_hook mm/slab.h:587 [inline]\n __cache_free mm/slab.c:3373 [inline]\n __do_kmem_cache_free mm/slab.c:3577 [inline]\n kmem_cache_free+0x105/0x280 mm/slab.c:3602\n __d_free fs/dcache.c:298 [inline]\n dentry_free fs/dcache.c:375 [inline]\n __dentry_kill+0x422/0x4a0 fs/dcache.c:621\n dentry_kill+0x8d/0x1e0\n dput+0x118/0x1f0 fs/dcache.c:913\n __fput+0x3bf/0x570 fs/file_table.c:329\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x123/0x160 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0xcf/0xe0 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:296\n do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888237c2a2f8 of 8 bytes by task 19632 on cpu 1:\n obj_stock_flush_required mm/memcontrol.c:3319 [inline]\n drain_all_stock+0x174/0x2a0 mm/memcontrol.c:2361\n try_charge_memcg+0x6d0/0xd10 mm/memcontrol.c:2703\n try_charge mm/memcontrol.c:2837 [inline]\n mem_cgroup_charge_skmem+0x51/0x140 mm/memcontrol.c:7290\n sock_reserve_memory+0xb1/0x390 net/core/sock.c:1025\n sk_setsockopt+0x800/0x1e70 net/core/sock.c:1525\n udp_lib_setsockopt+0x99/0x6c0 net/ipv4/udp.c:2692\n udp_setsockopt+0x73/0xa0 net/ipv4/udp.c:2817\n sock_common_setsockopt+0x61/0x70 net/core/sock.c:3668\n __sys_setsockopt+0x1c3/0x230 net/socket.c:2271\n __do_sys_setsockopt net/socket.c:2282 [inline]\n __se_sys_setsockopt net/socket.c:2279 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2279\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0xffff8881382d52c0 -\u003e 0xffff888138893740\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 19632 Comm: syz-executor.0 Not tainted 6.3.0-rc2-syzkaller-00387-g534293368afa #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023\n\nFix it by using READ_ONCE()/WRITE_ONCE() for all accesses to\nstock-\u003ecached_objcg.",
  "id": "GHSA-67c3-x939-573c",
  "modified": "2025-12-11T21:31:26Z",
  "published": "2025-09-18T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53401"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33391c7e1a2ad612bf3922cc168cb09a46bbe236"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33d9490b27e5d8da4444aefd714a4f50189db978"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b8abb3239530c423c0b97e42af7f7e856e1ee96"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.