CVE-2023-52468

class: fix use-after-free in class_register()

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

class: fix use-after-free in class_register()

The lock_class_key is still registered and can be found in
lock_keys_hash hlist after subsys_private is freed in error
handler path.A task who iterate over the lock_keys_hash
later may cause use-after-free.So fix that up and unregister
the lock_class_key before kfree(cp).

On our platform, a driver fails to kset_register because of
creating duplicate filename '/class/xxx'.With Kasan enabled,
it prints a invalid-access bug report.

KASAN bug report:

BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc
Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252
Pointer tag: [15], memory tag: [fe]

CPU: 7 PID: 252 Comm: modprobe Tainted: G W
6.6.0-mainline-maybe-dirty #1

Call trace:
dump_backtrace+0x1b0/0x1e4
show_stack+0x2c/0x40
dump_stack_lvl+0xac/0xe0
print_report+0x18c/0x4d8
kasan_report+0xe8/0x148
__hwasan_store8_noabort+0x88/0x98
lockdep_register_key+0x19c/0x1bc
class_register+0x94/0x1ec
init_module+0xbc/0xf48 [rfkill]
do_one_initcall+0x17c/0x72c
do_init_module+0x19c/0x3f8
...
Memory state around the buggy address:
ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a
ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe
>ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03

As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access
not use-after-free here.In this case, modprobe is manipulating
the corrupted lock_keys_hash hlish where lock_class_key is already
freed before.

It's worth noting that this only can happen if lockdep is enabled,
which is not true for normal system.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clase: corrige use-after-free en class_register() Lock_class_key todavía está registrada y se puede encontrar en lock_keys_hash hlist después de que subsys_private se libere en la ruta del controlador de errores. Una tarea que itera sobre Lock_keys_hash más tarde puede causar use-after-free. Así que solucione eso y cancele el registro de lock_class_key antes de kfree (cp). En nuestra plataforma, un controlador no logra kset_register debido a que crea un nombre de archivo duplicado '/class/xxx'. Con Kasan habilitado, imprime un informe de error de acceso no válido. Informe de error de KASAN: ERROR: KASAN: acceso no válido en lockdep_register_key+0x19c/0x1bc Escritura de tamaño 8 en la dirección 15ffff808b8c0368 mediante tarea modprobe/252 Etiqueta de puntero: [15], etiqueta de memoria: [fe] CPU: 7 PID: 252 Comm: modprobe contaminado: GW 6.6.0-mainline-maybe-dirty #1 Rastreo de llamadas: dump_backtrace+0x1b0/0x1e4 show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8 kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x 88/0x98 lockdep_register_key+ 0x19c/0x1bc class_register+0x94/0x1ec init_module+0xbc/0xf48 [rfkill] do_one_initcall+0x17c/0x72c do_init_module+0x19c/0x3f8 ... Estado de la memoria alrededor de la dirección del error: ffffff808b8c0100: 8a 8a 8a 8a 8a 8 un 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe> ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ fffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 Como CONFIG_KASAN_GENERIC no está configurado, Kasan informa aquí de acceso no válido, no use-after-free. En este caso, modprobe está manipulando el lock_keys_hash hlish corrupto donde lock_class_key ya se liberó antes. Vale la pena señalar que esto sólo puede suceder si lockdep está habilitado, lo cual no es cierto para el sistema normal.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-25 CVE Published
2024-04-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/dcfbb67e48a2becfce7990386e985b9c45098ee5	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b57196a5ec5e4c0ffecde8348b085b778c7dce04	2024-01-25
https://git.kernel.org/stable/c/0f1486dafca3398c4c46b9f6e6452fa27e73b559	2024-01-25
https://git.kernel.org/stable/c/93ec4a3b76404bce01bd5c9032bef5df6feb1d62	2024-01-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.4 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.8"		en		Affected