ghsa-vmxf-qh3m-3qqj
Vulnerability from github
Published
2025-12-30 15:30
Modified
2025-12-30 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix timeout of a call that hasn't yet been granted a channel

afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
 <TASK>
 rxrpc_send_ACK+0x50/0x13b
 rxrpc_input_call_event+0x16a/0x67d
 rxrpc_io_thread+0x1b6/0x45f
 ? _raw_spin_unlock_irqrestore+0x1f/0x35
 ? rxrpc_input_packet+0x519/0x519
 kthread+0xe7/0xef
 ? kthread_complete_and_exit+0x1b/0x1b
 ret_from_fork+0x22/0x30

Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted.

It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54195"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:07Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix timeout of a call that hasn\u0027t yet been granted a channel\n\nafs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may\nget stalled in the background waiting for a connection to become\navailable); it then calls rxrpc_kernel_set_max_life() to set the timeouts -\nbut that starts the call timer so the call timer might then expire before\nwe get a connection assigned - leading to the following oops if the call\nstalled:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000000\n\t...\n\tCPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701\n\tRIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157\n\t...\n\tCall Trace:\n\t \u003cTASK\u003e\n\t rxrpc_send_ACK+0x50/0x13b\n\t rxrpc_input_call_event+0x16a/0x67d\n\t rxrpc_io_thread+0x1b6/0x45f\n\t ? _raw_spin_unlock_irqrestore+0x1f/0x35\n\t ? rxrpc_input_packet+0x519/0x519\n\t kthread+0xe7/0xef\n\t ? kthread_complete_and_exit+0x1b/0x1b\n\t ret_from_fork+0x22/0x30\n\nFix this by noting the timeouts in struct rxrpc_call when the call is\ncreated.  The timer will be started when the first packet is transmitted.\n\nIt shouldn\u0027t be possible to trigger this directly from userspace through\nAF_RXRPC as sendmsg() will return EBUSY if the call is in the\nwaiting-for-conn state if it dropped out of the wait due to a signal.",
  "id": "GHSA-vmxf-qh3m-3qqj",
  "modified": "2025-12-30T15:30:31Z",
  "published": "2025-12-30T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54195"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.