CVE-2023-52609 in Linux
Summary
by MITRE • 03/18/2024
In the Linux kernel, the following vulnerability has been resolved:
binder: fix race between mmput() and do_exit()
Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A.
Task A | Task B ------------------+------------------ mmget_not_zero() | | do_exit() | exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() |
In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead).
This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then.
In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/21/2025
The vulnerability described in CVE-2023-52609 represents a critical race condition within the Linux kernel's binder driver implementation that affects inter-process communication mechanisms. This flaw manifests when multiple tasks attempt to manage memory mappings simultaneously, creating a scenario where the memory management subsystem fails to properly handle cleanup operations during process termination. The issue specifically impacts the binder driver's ability to manage remote memory mappings through the binder_update_page_range() function, which is essential for Android's inter-process communication framework and kernel-based communication mechanisms.
The technical flaw occurs due to improper synchronization between memory management operations during process lifecycle events. When Task A attempts to allocate pages in a remote address space by calling mmget_not_zero() to pin the remote memory management structure, it can collide with Task B's do_exit() execution path. This race condition creates a scenario where Task B's exit_mm() function performs mmput() operations that should normally occur in the context of Task B, but instead get executed by Task A due to the timing of the memory reference counting. The problem stems from the fact that the cleanup work from fput() operations gets queued as TWA_RESUME tasks in Task A's context, but Task A subsequently enters a sleep state waiting for a response from Task B that has already terminated, creating a deadlock scenario.
The operational impact of this vulnerability is severe as it leads to indefinite blocking of binder_deferred_release() operations and delays all associated death notifications until unrelated binder events force Task A to return to userspace. This creates a denial of service condition where legitimate communication channels become unresponsive, potentially affecting critical system functionality including Android application communication, system services, and other kernel-based IPC mechanisms. The vulnerability affects systems where the binder driver is actively used for process communication, particularly in Android environments where this driver is fundamental to system operation and application interaction with kernel services.
The fix implemented addresses this race condition by replacing the synchronous mmput() operation with mmput_async() which schedules the cleanup work in the corresponding mm->async_put_work workqueue instead of executing it directly within Task A's context. This approach ensures that memory cleanup operations occur asynchronously in the proper context without blocking the calling task, thereby preventing the deadlock scenario. This solution aligns with established kernel security practices for handling race conditions in memory management and follows the principles outlined in CWE-362 for concurrent access violations and CWE-667 for improper locking mechanisms. The mitigation strategy also corresponds to ATT&CK technique T1499.004 for endpoint detection evasion through memory manipulation and addresses fundamental kernel security requirements for preventing denial of service conditions in system call handlers.