CVE-2023-53825

Vulnerability

In the Linux kernel's Kernel Connection Multiplexor (KCM) subsystem, the kcm_sendmsg() function's error handling for SOCK_DGRAM sockets is flawed. When an error occurs during message transmission after partial data has been copied into an skb, there is a memory leak because the partially-constructed skb is not properly freed. A prior fix (commit c821a88bd720) attempted to address the leak by updating kcm_tx_msg(head)->last_skb so that a subsequent sendmsg() call could resume from the last partially-copied skb. However, the kernel's description notes that it is impossible to know how many bytes were already copied when the error occurred, so resuming from that skb can corrupt the MSG_MORE queue, leading to data corruption or kernel state instability [1].

Exploitation

An attacker would need the ability to invoke the sendmsg() system call on a KCM socket of type SOCK_DGRAM and cause an error during the message copy phase. This can be achieved by sending a message on such a socket. A local user or a process with access to such a socket can exploit this condition. The attack surface is limited to users with the capability to create and use KCM sockets, but no special privileges beyond the ability to call sendmsg() are required. Syzkaller, a kernel fuzzer, discovered this issue, indicating it can be triggered by crafted input [2].

Impact

An attacker who successfully triggers this vulnerability can cause a memory leak, depleting kernel memory over time, and also corrupt the MSG_MORE queue's internal state. This could result in data corruption for subsequent messages or a denial-of-service condition because the following sendmsg() call may use a wrong skb, leading to unpredictable kernel behavior. The impact is primarily availability and integrity of kernel socket operations, but it does not directly lead to privilege escalation [3].

Mitigation

The fix, included in Linux kernel stable updates, purges the pending queue in the error path for SOCK_DGRAM, mirroring how UDP handles similar failures with udp_flush_pending_frames(). Administrators should apply kernel updates that incorporate commit a22730b1b4bf or its backports (such as e5b28ce127a6 or 55d2e7c1ab8e). No workaround is available other than avoiding the use of KCM sockets or restricting access to them via security modules or containerization [1, 2, 3].