CVE-2023-53728

Description

In the Linux kernel, the following vulnerability has been resolved: posix-timers: Ensure timer ID search-loop limit is valid posix_timer_add() tries to allocate a posix timer ID by starting from the cached ID which was stored by the last successful allocation. This is done in a loop searching the ID space for a free slot one by one. The loop has to terminate when the search wrapped around to the starting point. But that's racy vs. establishing the starting point. That is read out lockless, which leads to the following problem: CPU0 CPU1 posix_timer_add() start = sig->posix_timer_id; lock(hash_lock); ... posix_timer_add() if (++sig->posix_timer_id < 0) start = sig->posix_timer_id; sig->posix_timer_id = 0; So CPU1 can observe a negative start value, i.e. -1, and the loop break never happens because the condition can never be true: if (sig->posix_timer_id == start) break; While this is unlikely to ever turn into an endless loop as the ID space is huge (INT_MAX), the racy read of the start value caught the attention of KCSAN and Dmitry unearthed that incorrectness. Rewrite it so that all id operations are under the hash lock.

PUBLISHED Reserved 2025-10-22 | Published 2025-10-22 | Updated 2025-10-22 | Assigner Linux

Product status

References

git.kernel.org/...c/8dc52c200b889bc1cb34288fbf623d4ff381d2ae

git.kernel.org/...c/9ea26a8494a0a9337e7415eafd6f3ed940327dc5

git.kernel.org/...c/8ad6679a5bb97cdb3e14942729292b4bfcc0e223

git.kernel.org/...c/322377cc909defcca9451487484845e7e1d20d1b

git.kernel.org/...c/ef535e0315afd098c4beb1da364847eca4b56a20

git.kernel.org/...c/6a0ac84501b4fec73a1a823c55cf13584c43f418

git.kernel.org/...c/37175e25edf7cc0d5a2cd2c2a1cbe2dcbf4a1937

git.kernel.org/...c/8ce8849dd1e78dadcee0ec9acbd259d239b7069f

cve.org (CVE-2023-53728)

nvd.nist.gov (CVE-2023-53728)

Download JSON