CVE-2023-52707 in Linuxinfo

Summary

by MITRE • 05/21/2024

In the Linux kernel, the following vulnerability has been resolved:

sched/psi: Fix use-after-free in ep_remove_wait_queue()

If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path:

do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy

However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit:

fput ep_eventpoll_release ep_free ep_remove_wait_queue remove_wait_queue

This results in use-after-free as pasted below.

The fundamental problem here is that cgroup_file_release() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wake_up_pollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroup_file_release() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this.

BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404

CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: dump_stack_lvl+0x73/0xa0 print_report+0x16c/0x4e0 kasan_report+0xc3/0xf0 kasan_check_range+0x2d2/0x310 _raw_spin_lock_irqsave+0x60/0xc0 remove_wait_queue+0x1a/0xa0 ep_free+0x12c/0x170 ep_eventpoll_release+0x26/0x30 __fput+0x202/0x400 task_work_run+0x11d/0x170 do_exit+0x495/0x1130 do_group_exit+0x100/0x100 get_signal+0xd67/0xde0 arch_do_signal_or_restart+0x2a/0x2b0 exit_to_user_mode_prepare+0x94/0x100 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x52/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Allocated by task 4404:

kasan_set_track+0x3d/0x60 __kasan_kmalloc+0x85/0x90 psi_trigger_create+0x113/0x3e0 pressure_write+0x146/0x2e0 cgroup_file_write+0x11c/0x250 kernfs_fop_write_iter+0x186/0x220 vfs_write+0x3d8/0x5c0 ksys_write+0x90/0x110 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 4407:

kasan_set_track+0x3d/0x60 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x11d/0x170 slab_free_freelist_hook+0x87/0x150 __kmem_cache_free+0xcb/0x180 psi_trigger_destroy+0x2e8/0x310 cgroup_file_release+0x4f/0xb0 kernfs_drain_open_files+0x165/0x1f0 kernfs_drain+0x162/0x1a0 __kernfs_remove+0x1fb/0x310 kernfs_remove_by_name_ns+0x95/0xe0 cgroup_addrm_files+0x67f/0x700 cgroup_destroy_locked+0x283/0x3c0 cgroup_rmdir+0x29/0x100 kernfs_iop_rmdir+0xd1/0x140 vfs_rmdir+0xfe/0x240 do_rmdir+0x13d/0x280 __x64_sys_rmdir+0x2c/0x30 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/07/2025

The vulnerability described in CVE-2023-52707 resides within the Linux kernel's cgroup subsystem, specifically in the interaction between pressure stall information (PSI) and eventpoll mechanisms. This flaw manifests as a use-after-free condition that can occur when a non-root cgroup is removed while a thread is actively polling on a pressure file within that cgroup. The issue stems from a disconnect in the lifetime management of waitqueues used for polling operations and the actual file lifecycle, leading to potential kernel crashes or privilege escalation if exploited.

The technical root cause lies in the sequence of operations during cgroup removal where `cgroup_file_release()` is invoked, resulting in the freeing of the waitqueue associated with the pressure file. However, a polling thread that has already registered a trigger continues to hold a reference to the file and will attempt to access the freed waitqueue during file closure or process exit. This misalignment between resource management and reference counting creates the conditions for a use-after-free error, as evidenced by the kernel address sanitizer (KASAN) report showing access to freed memory at address ffff88810e625328.

The operational impact of this vulnerability extends beyond simple system instability, as it can be leveraged for privilege escalation or denial of service attacks. The flaw specifically affects systems running Linux kernel versions where the cgroup subsystem is active and pressure monitoring is enabled, making it a critical concern for containerized environments and systems relying on cgroup-based resource management. The vulnerability is particularly dangerous because it can be triggered through standard file system operations such as rmdir, and the resulting crash or memory corruption can potentially be exploited to gain elevated privileges.

Mitigation strategies for CVE-2023-52707 primarily involve applying the kernel patch that resolves the timing issue between waitqueue destruction and polling thread cleanup. The fix requires ensuring that waitqueue lifetimes are properly synchronized with file lifetimes, preventing premature deallocation of resources while polling threads still maintain references. Organizations should prioritize upgrading to kernel versions that include this patch, particularly those running containerized workloads or systems that heavily utilize cgroup and PSI features. Additionally, monitoring for anomalous system behavior or crashes related to cgroup operations can help detect exploitation attempts, while implementing proper access controls and limiting cgroup manipulation privileges can reduce the attack surface. This vulnerability aligns with CWE-416, which addresses use-after-free conditions, and can be mapped to ATT&CK technique T1059 for privilege escalation through kernel exploits, highlighting the need for comprehensive kernel security hardening measures.

The fix implemented in the kernel addresses the fundamental design issue where waitqueue lifetimes were not properly tied to file lifetimes, creating a race condition between resource deallocation and active references. This represents a classic case of improper resource management in kernel space, where the synchronization between subsystems needs to be carefully orchestrated to prevent such scenarios. The solution involves reworking the relationship between cgroup file release and waitqueue cleanup to ensure that polling operations cannot access freed memory, thereby preventing both system crashes and potential exploitation opportunities.

Reservation

03/07/2024

Disclosure

05/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00262

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!