CVE-2023-53809 (GCVE-0-2023-53809)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
When a file descriptor of pppol2tp socket is passed as file descriptor
of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().
This situation is reproduced by the following program:
int main(void)
{
int sock;
struct sockaddr_pppol2tp addr;
sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (sock < 0) {
perror("socket");
return 1;
}
addr.sa_family = AF_PPPOX;
addr.sa_protocol = PX_PROTO_OL2TP;
addr.pppol2tp.pid = 0;
addr.pppol2tp.fd = sock;
addr.pppol2tp.addr.sin_family = PF_INET;
addr.pppol2tp.addr.sin_port = htons(0);
addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1");
addr.pppol2tp.s_tunnel = 1;
addr.pppol2tp.s_session = 0;
addr.pppol2tp.d_tunnel = 0;
addr.pppol2tp.d_session = 0;
if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("connect");
return 1;
}
return 0;
}
This program causes the following lockdep warning:
============================================
WARNING: possible recursive locking detected
6.2.0-rc5-00205-gc96618275234 #56 Not tainted
--------------------------------------------
repro/8607 is trying to acquire lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0
but task is already holding lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_PPPOX);
lock(sk_lock-AF_PPPOX);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by repro/8607:
#0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
stack backtrace:
CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x178
__lock_acquire.cold+0x119/0x3b9
? lockdep_hardirqs_on_prepare+0x410/0x410
lock_acquire+0x1e0/0x610
? l2tp_tunnel_register+0x2b7/0x11c0
? lock_downgrade+0x710/0x710
? __fget_files+0x283/0x3e0
lock_sock_nested+0x3a/0xf0
? l2tp_tunnel_register+0x2b7/0x11c0
l2tp_tunnel_register+0x2b7/0x11c0
? sprintf+0xc4/0x100
? l2tp_tunnel_del_work+0x6b0/0x6b0
? debug_object_deactivate+0x320/0x320
? lockdep_init_map_type+0x16d/0x7a0
? lockdep_init_map_type+0x16d/0x7a0
? l2tp_tunnel_create+0x2bf/0x4b0
? l2tp_tunnel_create+0x3c6/0x4b0
pppol2tp_connect+0x14e1/0x1a30
? pppol2tp_put_sk+0xd0/0xd0
? aa_sk_perm+0x2b7/0xa80
? aa_af_perm+0x260/0x260
? bpf_lsm_socket_connect+0x9/0x10
? pppol2tp_put_sk+0xd0/0xd0
__sys_connect_file+0x14f/0x190
__sys_connect+0x133/0x160
? __sys_connect_file+0x190/0x190
? lockdep_hardirqs_on+0x7d/0x100
? ktime_get_coarse_real_ts64+0x1b7/0x200
? ktime_get_coarse_real_ts64+0x147/0x200
? __audit_syscall_entry+0x396/0x500
__x64_sys_connect+0x72/0xb0
do_syscall_64+0x38/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes the issue by getting/creating the tunnel before
locking the pppol2tp socket.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d77e5c0ad79004b5ef901895437e9cce6dfcc7e , < 4a413d360959962995e16a899cf2b9ef53e9fcb9
(git)
Affected: 77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce , < f6df58aa15f7d469f69b1dd21b001ff483255244 (git) Affected: cef0845b6dcfa2f6c2c832e7f9622551456c741d , < 4bb736b40475528ac1aa8c98b368563618488a70 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 5370647dd745bb3d8f37057006be207ddd8e9314 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a413d360959962995e16a899cf2b9ef53e9fcb9",
"status": "affected",
"version": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"versionType": "git"
},
{
"lessThan": "f6df58aa15f7d469f69b1dd21b001ff483255244",
"status": "affected",
"version": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"versionType": "git"
},
{
"lessThan": "4bb736b40475528ac1aa8c98b368563618488a70",
"status": "affected",
"version": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"versionType": "git"
},
{
"lessThan": "5370647dd745bb3d8f37057006be207ddd8e9314",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
},
{
"lessThan": "9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\n\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\nThis situation is reproduced by the following program:\n\nint main(void)\n{\n\tint sock;\n\tstruct sockaddr_pppol2tp addr;\n\n\tsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\n\tif (sock \u003c 0) {\n\t\tperror(\"socket\");\n\t\treturn 1;\n\t}\n\n\taddr.sa_family = AF_PPPOX;\n\taddr.sa_protocol = PX_PROTO_OL2TP;\n\taddr.pppol2tp.pid = 0;\n\taddr.pppol2tp.fd = sock;\n\taddr.pppol2tp.addr.sin_family = PF_INET;\n\taddr.pppol2tp.addr.sin_port = htons(0);\n\taddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\"192.168.0.1\");\n\taddr.pppol2tp.s_tunnel = 1;\n\taddr.pppol2tp.s_session = 0;\n\taddr.pppol2tp.d_tunnel = 0;\n\taddr.pppol2tp.d_session = 0;\n\n\tif (connect(sock, (const struct sockaddr *)\u0026addr, sizeof(addr)) \u003c 0) {\n\t\tperror(\"connect\");\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nThis program causes the following lockdep warning:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.2.0-rc5-00205-gc96618275234 #56 Not tainted\n --------------------------------------------\n repro/8607 is trying to acquire lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\n\n but task is already holding lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(sk_lock-AF_PPPOX);\n lock(sk_lock-AF_PPPOX);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 1 lock held by repro/8607:\n #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n stack backtrace:\n CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x100/0x178\n __lock_acquire.cold+0x119/0x3b9\n ? lockdep_hardirqs_on_prepare+0x410/0x410\n lock_acquire+0x1e0/0x610\n ? l2tp_tunnel_register+0x2b7/0x11c0\n ? lock_downgrade+0x710/0x710\n ? __fget_files+0x283/0x3e0\n lock_sock_nested+0x3a/0xf0\n ? l2tp_tunnel_register+0x2b7/0x11c0\n l2tp_tunnel_register+0x2b7/0x11c0\n ? sprintf+0xc4/0x100\n ? l2tp_tunnel_del_work+0x6b0/0x6b0\n ? debug_object_deactivate+0x320/0x320\n ? lockdep_init_map_type+0x16d/0x7a0\n ? lockdep_init_map_type+0x16d/0x7a0\n ? l2tp_tunnel_create+0x2bf/0x4b0\n ? l2tp_tunnel_create+0x3c6/0x4b0\n pppol2tp_connect+0x14e1/0x1a30\n ? pppol2tp_put_sk+0xd0/0xd0\n ? aa_sk_perm+0x2b7/0xa80\n ? aa_af_perm+0x260/0x260\n ? bpf_lsm_socket_connect+0x9/0x10\n ? pppol2tp_put_sk+0xd0/0xd0\n __sys_connect_file+0x14f/0x190\n __sys_connect+0x133/0x160\n ? __sys_connect_file+0x190/0x190\n ? lockdep_hardirqs_on+0x7d/0x100\n ? ktime_get_coarse_real_ts64+0x1b7/0x200\n ? ktime_get_coarse_real_ts64+0x147/0x200\n ? __audit_syscall_entry+0x396/0x500\n __x64_sys_connect+0x72/0xb0\n do_syscall_64+0x38/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes the issue by getting/creating the tunnel before\nlocking the pppol2tp socket."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:07.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9"
},
{
"url": "https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244"
},
{
"url": "https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70"
},
{
"url": "https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314"
},
{
"url": "https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac"
}
],
"title": "l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53809",
"datePublished": "2025-12-09T00:01:07.120Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:07.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-53809\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-09T01:16:52.940\",\"lastModified\":\"2025-12-09T18:37:13.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\\n\\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\\nThis situation is reproduced by the following program:\\n\\nint main(void)\\n{\\n\\tint sock;\\n\\tstruct sockaddr_pppol2tp addr;\\n\\n\\tsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\\n\\tif (sock \u003c 0) {\\n\\t\\tperror(\\\"socket\\\");\\n\\t\\treturn 1;\\n\\t}\\n\\n\\taddr.sa_family = AF_PPPOX;\\n\\taddr.sa_protocol = PX_PROTO_OL2TP;\\n\\taddr.pppol2tp.pid = 0;\\n\\taddr.pppol2tp.fd = sock;\\n\\taddr.pppol2tp.addr.sin_family = PF_INET;\\n\\taddr.pppol2tp.addr.sin_port = htons(0);\\n\\taddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\\\"192.168.0.1\\\");\\n\\taddr.pppol2tp.s_tunnel = 1;\\n\\taddr.pppol2tp.s_session = 0;\\n\\taddr.pppol2tp.d_tunnel = 0;\\n\\taddr.pppol2tp.d_session = 0;\\n\\n\\tif (connect(sock, (const struct sockaddr *)\u0026addr, sizeof(addr)) \u003c 0) {\\n\\t\\tperror(\\\"connect\\\");\\n\\t\\treturn 1;\\n\\t}\\n\\n\\treturn 0;\\n}\\n\\nThis program causes the following lockdep warning:\\n\\n ============================================\\n WARNING: possible recursive locking detected\\n 6.2.0-rc5-00205-gc96618275234 #56 Not tainted\\n --------------------------------------------\\n repro/8607 is trying to acquire lock:\\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\\n\\n but task is already holding lock:\\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\\n\\n other info that might help us debug this:\\n Possible unsafe locking scenario:\\n\\n CPU0\\n ----\\n lock(sk_lock-AF_PPPOX);\\n lock(sk_lock-AF_PPPOX);\\n\\n *** DEADLOCK ***\\n\\n May be due to missing lock nesting notation\\n\\n 1 lock held by repro/8607:\\n #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\\n\\n stack backtrace:\\n CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x100/0x178\\n __lock_acquire.cold+0x119/0x3b9\\n ? lockdep_hardirqs_on_prepare+0x410/0x410\\n lock_acquire+0x1e0/0x610\\n ? l2tp_tunnel_register+0x2b7/0x11c0\\n ? lock_downgrade+0x710/0x710\\n ? __fget_files+0x283/0x3e0\\n lock_sock_nested+0x3a/0xf0\\n ? l2tp_tunnel_register+0x2b7/0x11c0\\n l2tp_tunnel_register+0x2b7/0x11c0\\n ? sprintf+0xc4/0x100\\n ? l2tp_tunnel_del_work+0x6b0/0x6b0\\n ? debug_object_deactivate+0x320/0x320\\n ? lockdep_init_map_type+0x16d/0x7a0\\n ? lockdep_init_map_type+0x16d/0x7a0\\n ? l2tp_tunnel_create+0x2bf/0x4b0\\n ? l2tp_tunnel_create+0x3c6/0x4b0\\n pppol2tp_connect+0x14e1/0x1a30\\n ? pppol2tp_put_sk+0xd0/0xd0\\n ? aa_sk_perm+0x2b7/0xa80\\n ? aa_af_perm+0x260/0x260\\n ? bpf_lsm_socket_connect+0x9/0x10\\n ? pppol2tp_put_sk+0xd0/0xd0\\n __sys_connect_file+0x14f/0x190\\n __sys_connect+0x133/0x160\\n ? __sys_connect_file+0x190/0x190\\n ? lockdep_hardirqs_on+0x7d/0x100\\n ? ktime_get_coarse_real_ts64+0x1b7/0x200\\n ? ktime_get_coarse_real_ts64+0x147/0x200\\n ? __audit_syscall_entry+0x396/0x500\\n __x64_sys_connect+0x72/0xb0\\n do_syscall_64+0x38/0xb0\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThis patch fixes the issue by getting/creating the tunnel before\\nlocking the pppol2tp socket.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…