{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-53021", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-27T16:40:15.752Z", "datePublished": "2025-03-27T16:43:47.860Z", "dateUpdated": "2025-05-04T07:47:51.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:47:51.116Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/sch_generic.h", "net/sched/sch_taprio.c"], "versions": [{"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "1200388a0b1c3c6fda48d4d2143db8f7e4ef5348", "status": "affected", "versionType": "git"}, {"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "c60fe70078d6e515f424cb868d07e00411b27fbc", "status": "affected", "versionType": "git"}, {"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "c53acbf2facfdfabdc6e6984a1a38f5d38b606a1", "status": "affected", "versionType": "git"}, {"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "d3b2d2820a005e43855fa71b80c4a4b194201c60", "status": "affected", "versionType": "git"}, {"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "3a415d59c1dbec9d772dbfab2d2520d98360caae", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/sch_generic.h", "net/sched/sch_taprio.c"], "versions": [{"version": "4.20", "status": "affected"}, {"version": "0", "lessThan": "4.20", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.231", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.166", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.91", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.9", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.231"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.10.166"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.15.91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.1.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348"}, {"url": "https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbc"}, {"url": "https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1"}, {"url": "https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60"}, {"url": "https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caae"}], "title": "net/sched: sch_taprio: fix possible use-after-free", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-53021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-27T17:01:12.195276Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T17:08:23.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-53021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-27T17:01:12.195276Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T17:01:13.583Z"}}], "cna": {"title": "net/sched: sch_taprio: fix possible use-after-free", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "1200388a0b1c3c6fda48d4d2143db8f7e4ef5348", "versionType": "git"}, {"status": "affected", "version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "c60fe70078d6e515f424cb868d07e00411b27fbc", "versionType": "git"}, {"status": "affected", "version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "c53acbf2facfdfabdc6e6984a1a38f5d38b606a1", "versionType": "git"}, {"status": "affected", "version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "d3b2d2820a005e43855fa71b80c4a4b194201c60", "versionType": "git"}, {"status": "affected", "version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22", "lessThan": "3a415d59c1dbec9d772dbfab2d2520d98360caae", "versionType": "git"}], "programFiles": ["include/net/sch_generic.h", "net/sched/sch_taprio.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.20"}, {"status": "unaffected", "version": "0", "lessThan": "4.20", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.231", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.166", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.91", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.9", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/sch_generic.h", "net/sched/sch_taprio.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348"}, {"url": "https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbc"}, {"url": "https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1"}, {"url": "https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60"}, {"url": "https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caae"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-27T16:43:47.860Z"}}}, "cveMetadata": {"cveId": "CVE-2023-53021", "state": "PUBLISHED", "dateUpdated": "2025-03-27T17:08:23.724Z", "dateReserved": "2025-03-27T16:40:15.752Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-03-27T16:43:47.860Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CA608C-BC5E-4BB5-9250-771AEC44F412", "versionEndExcluding": "5.4.231", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A44D9D24-661C-40D4-8735-4CEB1C7C02F2", "versionEndExcluding": "5.10.166", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "91C2E92D-CC25-4FBD-8824-56A148119D7E", "versionEndExcluding": "5.15.91", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED5B6045-B1D2-4E03-B194-9005A351BCAE", "versionEndExcluding": "6.1.9", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: sch_taprio: correcci\u00f3n de posible error de use-after-free syzbot report\u00f3 un fallo grave [1] en net_tx_action() que no ten\u00eda sentido hasta que se reprodujo. Esta reproducci\u00f3n instala una qdisc de Taprio, pero proporciona un atributo TCA_RATE no v\u00e1lido. qdisc_create() debe destruir la qdisc de Taprio reci\u00e9n inicializada, y se llama a taprio_destroy(). Sin embargo, el temporizador hr usado por Taprio ya se hab\u00eda ejecutado, por lo que advance_sched() llam\u00f3 a __netif_schedule(). Entonces, net_tx_action intentaba usar una qdisc destruida. No podemos deshacer __netif_schedule(), por lo que debemos esperar a que una CPU haya dado servicio a la qdisc antes de continuar. Muchas gracias a Alexander Potapenko por su ayuda. [1] ERROR: KMSAN: valor no inicializado en queued_spin_trylock include/asm-generic/qspinlock.h:94 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en do_raw_spin_trylock include/linux/spinlock.h:191 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [en l\u00ednea] ERROR: KMSAN: valor no inicializado en _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 queued_spin_trylock include/asm-generic/qspinlock.h:94 [en l\u00ednea] do_raw_spin_trylock include/linux/spinlock.h:191 [en l\u00ednea] __raw_spin_trylock incluir/linux/spinlock_api_smp.h:89 [en l\u00ednea] _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 spin_trylock incluir/linux/spinlock.h:359 [en l\u00ednea] qdisc_run_begin incluir/net/sch_generic.h:187 [en l\u00ednea] qdisc_run+0xee/0x540 incluir/net/pkt_sched.h:125 net_tx_action+0x77c/0x9a0 net/core/dev.c:5086 __do_softirq+0x1cc/0x7fb kernel/softirq.c:571 run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 Uninit se cre\u00f3 en: slab_post_alloc_hook mm/slab.h:732 [en l\u00ednea] slab_alloc_node mm/slub.c:3258 [en l\u00ednea] __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970 kmalloc_reserve net/core/skbuff.c:358 [en l\u00ednea] __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430 alloc_skb include/linux/skbuff.h:1257 [en l\u00ednea] nlmsg_new include/net/netlink.h:953 [en l\u00ednea] netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436 netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507 rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en l\u00ednea] netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [en l\u00ednea] sock_sendmsg net/socket.c:734 [en l\u00ednea] ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536 __sys_sendmsg net/socket.c:2565 [en l\u00ednea] __do_sys_sendmsg net/socket.c:2574 [en l\u00ednea] __se_sys_sendmsg net/socket.c:2572 [en l\u00ednea] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 13 Comm: ksoftirqd/0 No contaminado 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 22/07/2022"}], "id": "CVE-2023-53021", "lastModified": "2025-04-01T15:40:10.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-27T17:15:51.580", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7077", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-513.5.1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "kernel: net/sched: sch_taprio: fix possible use-after-free", "id": "2355484", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355484"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: sch_taprio: fix possible use-after-free\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\nThen net_tx_action was trying to use a destroyed qdisc.\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\nMany thanks to Alexander Potapenko for his help.\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\nqueued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\ndo_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n__raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n_raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\nspin_trylock include/linux/spinlock.h:359 [inline]\nqdisc_run_begin include/net/sch_generic.h:187 [inline]\nqdisc_run+0xee/0x540 include/net/pkt_sched.h:125\nnet_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n__do_softirq+0x1cc/0x7fb kernel/softirq.c:571\nrun_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\nsmpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\nkthread+0x31b/0x430 kernel/kthread.c:376\nret_from_fork+0x1f/0x30\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:732 [inline]\nslab_alloc_node mm/slub.c:3258 [inline]\n__kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\nkmalloc_reserve net/core/skbuff.c:358 [inline]\n__alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\nalloc_skb include/linux/skbuff.h:1257 [inline]\nnlmsg_new include/net/netlink.h:953 [inline]\nnetlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\nnetlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\nrtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\nnetlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\nnetlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\nnetlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg net/socket.c:734 [inline]\n____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n__sys_sendmsg net/socket.c:2565 [inline]\n__do_sys_sendmsg net/socket.c:2574 [inline]\n__se_sys_sendmsg net/socket.c:2572 [inline]\n__x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-53021", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53021\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53021\nhttps://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-53021-def9@gregkh/T"], "threat_severity": "Moderate"}