CVE-2023-52854

EPSS 0.01%
Published 21.05.2024 16:15:22
Last modified 03.02.2025 16:13:08
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

padata: Fix refcnt handling in padata_free_shell()

In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
the pcrypt_aead01 function call, I'll describe the problem scenario
using a simplified model:

Suppose there's a user of padata named `user_function` that adheres to
the padata requirement of calling `padata_free_shell` after `serial()`
has been invoked, as demonstrated in the following code:

```c
struct request {
    struct padata_priv padata;
    struct completion *done;
};

void parallel(struct padata_priv *padata) {
    do_something();
}

void serial(struct padata_priv *padata) {
    struct request *request = container_of(padata,
    				struct request,
				padata);
    complete(request->done);
}

void user_function() {
    DECLARE_COMPLETION(done)
    padata->parallel = parallel;
    padata->serial = serial;
    padata_do_parallel();
    wait_for_completion(&done);
    padata_free_shell();
}
```

In the corresponding padata.c file, there's the following code:

```c
static void padata_serial_worker(struct work_struct *serial_work) {
    ...
    cnt = 0;

    while (!list_empty(&local_list)) {
        ...
        padata->serial(padata);
        cnt++;
    }

    local_bh_enable();

    if (refcount_sub_and_test(cnt, &pd->refcnt))
        padata_free_pd(pd);
}
```

Because of the high system load and the accumulation of unexecuted
softirq at this moment, `local_bh_enable()` in padata takes longer
to execute than usual. Subsequently, when accessing `pd->refcnt`,
`pd` has already been released by `padata_free_shell()`, resulting
in a UAF issue with `pd->refcnt`.

The fix is straightforward: add `refcount_dec_and_test` before calling
`padata_free_pd` in `padata_free_shell`.

Affected products Warnungen 0 Metrics 2 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 3.16.84 < 3.17

Linux ≫ Linux Kernel Version >= 4.4.215 < 4.5

Linux ≫ Linux Kernel Version >= 4.9.215 < 4.10

Linux ≫ Linux Kernel Version >= 4.14.172 < 4.15

Linux ≫ Linux Kernel Version >= 4.19.103 < 4.20

Linux ≫ Linux Kernel Version >= 5.4.19 < 5.5

Linux ≫ Linux Kernel Version >= 5.5.3 < 5.10.201

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.139

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.63

Linux ≫ Linux Kernel Version >= 6.2 < 6.5.12

Linux ≫ Linux Kernel Version >= 6.6 < 6.6.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.014

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/0dd34a7ad395dbcf6ae60e48e9786050e25b9bc5

Patch

https://git.kernel.org/stable/c/1734a79e951914f1db2c65e635012a35db1c674b

Patch

https://git.kernel.org/stable/c/1e901bcb8af19416b65f5063a4af7996e5a51d7f

Patch

https://git.kernel.org/stable/c/41aad9d6953984d134fc50f631f24ef476875d4d

Patch

https://git.kernel.org/stable/c/7ddc21e317b360c3444de3023bcc83b85fabae2f

Patch

https://git.kernel.org/stable/c/c7c26d0ef5d20f00dbb2ae3befcabbe0efa77275

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-52854

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-52854

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-52854

EUVD