CVE-2023-54195 (GCVE-0-2023-54195)
Vulnerability from cvelistv5
Published
2025-12-30 12:09
Modified
2025-12-30 12:09
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn't yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal.
References
Impacted products
Vendor Product Version
Linux Linux Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d
Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d
Version: 9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/afs.h",
            "fs/afs/internal.h",
            "fs/afs/rxrpc.c",
            "include/net/af_rxrpc.h",
            "net/rxrpc/af_rxrpc.c",
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_object.c",
            "net/rxrpc/sendmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92128a7170a220b5126d09a1c1954a3a8d46cef3",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            },
            {
              "lessThan": "72f4a9f3f447948cf86dffe1c4a4c8a429ab9666",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            },
            {
              "lessThan": "db099c625b13a74d462521a46d98a8ce5b53af5d",
              "status": "affected",
              "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/afs/afs.h",
            "fs/afs/internal.h",
            "fs/afs/rxrpc.c",
            "include/net/af_rxrpc.h",
            "net/rxrpc/af_rxrpc.c",
            "net/rxrpc/ar-internal.h",
            "net/rxrpc/call_object.c",
            "net/rxrpc/sendmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.3",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn\u0027t yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t \u003cTASK\u003e\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated.  The timer will be started when the first packet is transmitted.\n\nIt shouldn\u0027t be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:09:02.123Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"
        },
        {
          "url": "https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"
        },
        {
          "url": "https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"
        }
      ],
      "title": "rxrpc: Fix timeout of a call that hasn\u0027t yet been granted a channel",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54195",
    "datePublished": "2025-12-30T12:09:02.123Z",
    "dateReserved": "2025-12-30T12:06:44.498Z",
    "dateUpdated": "2025-12-30T12:09:02.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54195\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:07.547\",\"lastModified\":\"2025-12-30T13:16:07.547\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrxrpc: Fix timeout of a call that hasn\u0027t yet been granted a channel\\n\\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\\nget stalled in the background waiting for a connection to become\\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\\nbut that starts the call timer so the call timer might then expire before\\nwe get a connection assigned - leading to the following oops if the call\\nstalled:\\n\\n\\tBUG: kernel NULL pointer dereference, address: 0000000000000000\\n\\t...\\n\\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\\n\\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\\n\\t...\\n\\tCall Trace:\\n\\t \u003cTASK\u003e\\n\\t rxrpc_send_ACK+0x50/0x13b\\n\\t rxrpc_input_call_event+0x16a/0x67d\\n\\t rxrpc_io_thread+0x1b6/0x45f\\n\\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\\n\\t ? rxrpc_input_packet+0x519/0x519\\n\\t kthread+0xe7/0xef\\n\\t ? kthread_complete_and_exit+0x1b/0x1b\\n\\t ret_from_fork+0x22/0x30\\n\\nFix this by noting the timeouts in struct rxrpc_call when the call is\\ncreated.  The timer will be started when the first packet is transmitted.\\n\\nIt shouldn\u0027t be possible to trigger this directly from userspace through\\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\\nwaiting-for-conn state if it dropped out of the wait due to a signal.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.