CVE-2023-52707: sched/psi: Fix use-after-free in ep_remove_wait_queue()
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: Fix use-after-free in epremovewaitqueue()
If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path:
dormdir cgrouprmdir kernfsdrainopenfiles cgroupfilerelease cgrouppressurerelease psitriggerdestroy
However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit:
fput epeventpollrelease epfree epremovewaitqueue removewaitqueue
This results in use-after-free as pasted below.
The fundamental problem here is that cgroupfilerelease() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wakeuppollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wakeuppollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroupfilerelease() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this.
BUG: KASAN: use-after-free in rawspinlockirqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404
CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: dumpstacklvl+0x73/0xa0 printreport+0x16c/0x4e0 kasanreport+0xc3/0xf0 kasancheckrange+0x2d2/0x310 rawspinlockirqsave+0x60/0xc0 removewaitqueue+0x1a/0xa0 epfree+0x12c/0x170 epeventpollrelease+0x26/0x30 fput+0x202/0x400 taskworkrun+0x11d/0x170 doexit+0x495/0x1130 dogroupexit+0x100/0x100 getsignal+0xd67/0xde0 archdosignalorrestart+0x2a/0x2b0 exittousermodeprepare+0x94/0x100 syscallexittousermode+0x20/0x40 dosyscall64+0x52/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Allocated by task 4404:
kasansettrack+0x3d/0x60 kasankmalloc+0x85/0x90 psitriggercreate+0x113/0x3e0 pressurewrite+0x146/0x2e0 cgroupfilewrite+0x11c/0x250 kernfsfopwriteiter+0x186/0x220 vfswrite+0x3d8/0x5c0 ksyswrite+0x90/0x110 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Freed by task 4407:
kasansettrack+0x3d/0x60 kasansavefreeinfo+0x27/0x40 kasanslabfree+0x11d/0x170 slabfreefreelisthook+0x87/0x150 kmemcachefree+0xcb/0x180 psitriggerdestroy+0x2e8/0x310 cgroupfilerelease+0x4f/0xb0 kernfsdrainopenfiles+0x165/0x1f0 kernfsdrain+0x162/0x1a0 kernfsremove+0x1fb/0x310 kernfsremovebynamens+0x95/0xe0 cgroupaddrmfiles+0x67f/0x700 cgroupdestroylocked+0x283/0x3c0 cgrouprmdir+0x29/0x100 kernfsioprmdir+0xd1/0x140 vfsrmdir+0xfe/0x240 dormdir+0x13d/0x280 x64sysrmdir+0x2c/0x30 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Other sources
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: Fix use-after-free in epremovewaitqueue()
If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path:
dormdir cgrouprmdir kernfsdrainopenfiles cgroupfilerelease cgrouppressurerelease psitriggerdestroy
However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit:
fput epeventpollrelease epfree epremovewaitqueue removewaitqueue
This results in use-after-free as pasted below.
The fundamental problem here is that cgroupfilerelease() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wakeuppollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wakeuppollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroupfilerelease() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this.
BUG: KASAN: use-after-free in rawspinlockirqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404
CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: <TASK> dumpstacklvl+0x73/0xa0 printreport+0x16c/0x4e0 kasanreport+0xc3/0xf0 kasancheckrange+0x2d2/0x310 rawspinlockirqsave+0x60/0xc0 removewaitqueue+0x1a/0xa0 epfree+0x12c/0x170 epeventpollrelease+0x26/0x30 fput+0x202/0x400 taskworkrun+0x11d/0x170 doexit+0x495/0x1130 dogroupexit+0x100/0x100 getsignal+0xd67/0xde0 archdosignalorrestart+0x2a/0x2b0 exittousermodeprepare+0x94/0x100 syscallexittousermode+0x20/0x40 dosyscall64+0x52/0x90 entrySYSCALL64afterhwframe+0x63/0xcd </TASK>
Allocated by task 4404:
kasansettrack+0x3d/0x60 kasankmalloc+0x85/0x90 psitriggercreate+0x113/0x3e0 pressurewrite+0x146/0x2e0 cgroupfilewrite+0x11c/0x250 kernfsfopwriteiter+0x186/0x220 vfswrite+0x3d8/0x5c0 ksyswrite+0x90/0x110 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
Freed by task 4407:
kasansettrack+0x3d/0x60 kasansavefreeinfo+0x27/0x40 kasanslabfree+0x11d/0x170 slabfreefreelisthook+0x87/0x150 kmemcachefree+0xcb/0x180 psitriggerdestroy+0x2e8/0x310 cgroupfilerelease+0x4f/0xb0 kernfsdrainopenfiles+0x165/0x1f0 kernfsdrain+0x162/0x1a0 kernfsremove+0x1fb/0x310 kernfsremovebynamens+0x95/0xe0 cgroupaddrmfiles+0x67f/0x700 cgroupdestroylocked+0x283/0x3c0 cgrouprmdir+0x29/0x100 kernfsioprmdir+0xd1/0x140 vfsrmdir+0xfe/0x240 dormdir+0x13d/0x280 x64sysrmdir+0x2c/0x30 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd
— NVD
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: Fix use-after-free in epremovewaitqueue()
The Linux kernel CVE team has assigned CVE-2023-52707 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052158-CVE-2023-52707-e048@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52707?
CVE-2023-52707 has been classified as a high severity vulnerability due to its potential for exploitation in Linux kernel environments.
How do I fix CVE-2023-52707?
To mitigate CVE-2023-52707, you should update to the fixed kernel versions 5.4.232, 5.10.169, 5.15.95, 6.1.13, or 6.2.
Which Linux kernel versions are affected by CVE-2023-52707?
CVE-2023-52707 affects Linux kernel versions prior to 5.4.232, 5.10.169, 5.15.95, 6.1.13, and 6.2.
What does CVE-2023-52707 involve?
CVE-2023-52707 involves a use-after-free vulnerability in the 'ep_remove_wait_queue()' function within the Linux kernel.
Can CVE-2023-52707 affect non-root users?
Yes, CVE-2023-52707 can impact non-root cgroups that have threads polling on pressure files.