CVE-2023-54019

EPSS 0.02%
Veröffentlicht 24.12.2025 10:55:49
Zuletzt bearbeitet 29.12.2025 15:58:56
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

sched/psi: use kernfs polling functions for PSI trigger polling

Destroying psi trigger in cgroup_file_release causes UAF issues when
a cgroup is removed from under a polling process. This is happening
because cgroup removal causes a call to cgroup_file_release while the
actual file is still alive. Destroying the trigger at this point would
also destroy its waitqueue head and if there is still a polling process
on that file accessing the waitqueue, it will step on the freed pointer:

do_select
  vfs_poll
                           do_rmdir
                             cgroup_rmdir
                               kernfs_drain_open_files
                                 cgroup_file_release
                                   cgroup_pressure_release
                                     psi_trigger_destroy
                                       wake_up_pollfree(&t->event_wait)
// vfs_poll is unblocked
                                       synchronize_rcu
                                       kfree(t)
  poll_freewait -> UAF access to the trigger's waitqueue head

Patch [1] fixed this issue for epoll() case using wake_up_pollfree(),
however the same issue exists for synchronous poll() case.
The root cause of this issue is that the lifecycles of the psi trigger's
waitqueue and of the file associated with the trigger are different. Fix
this by using kernfs_generic_poll function when polling on cgroup-specific
psi triggers. It internally uses kernfs_open_node->poll waitqueue head
with its lifecycle tied to the file's lifecycle. This also renders the
fix in [1] obsolete, so revert it.

[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version < 92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a

Version 0e94682b73bfa6c44c98af7a26771c9c08c055d5

Status affected

Version < d124ab17024cc85a1079b7810a018a497ebc13da

Version 0e94682b73bfa6c44c98af7a26771c9c08c055d5

Status affected

Version < aff037078ecaecf34a7c2afab1341815f90fba5e

Version 0e94682b73bfa6c44c98af7a26771c9c08c055d5

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 5.2

Status affected

Version < 5.2

Version 0

Status unaffected

Version <= 6.1.*

Version 6.1.42

Status unaffected

Version <= 6.4.*

Version 6.4.7

Status unaffected

Version <= *

Version 6.5

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a

https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da

https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e

https://nvd.nist.gov/vuln/detail/CVE-2023-54019

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-54019

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-54019

EUVD