// For flags

CVE-2023-52854

padata: Fix refcnt handling in padata_free_shell()

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

padata: Fix refcnt handling in padata_free_shell()

In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
the pcrypt_aead01 function call, I'll describe the problem scenario
using a simplified model:

Suppose there's a user of padata named `user_function` that adheres to
the padata requirement of calling `padata_free_shell` after `serial()`
has been invoked, as demonstrated in the following code:

```c
struct request {
struct padata_priv padata;
struct completion *done;
};

void parallel(struct padata_priv *padata) {
do_something();
}

void serial(struct padata_priv *padata) {
struct request *request = container_of(padata,
struct request,
padata);
complete(request->done);
}

void user_function() {
DECLARE_COMPLETION(done)
padata->parallel = parallel;
padata->serial = serial;
padata_do_parallel();
wait_for_completion(&done);
padata_free_shell();
}
```

In the corresponding padata.c file, there's the following code:

```c
static void padata_serial_worker(struct work_struct *serial_work) {
...
cnt = 0;

while (!list_empty(&local_list)) {
...
padata->serial(padata);
cnt++;
}

local_bh_enable();

if (refcount_sub_and_test(cnt, &pd->refcnt))
padata_free_pd(pd);
}
```

Because of the high system load and the accumulation of unexecuted
softirq at this moment, `local_bh_enable()` in padata takes longer
to execute than usual. Subsequently, when accessing `pd->refcnt`,
`pd` has already been released by `padata_free_shell()`, resulting
in a UAF issue with `pd->refcnt`.

The fix is straightforward: add `refcount_dec_and_test` before calling
`padata_free_pd` in `padata_free_shell`.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: corrige el manejo de refcnt en padata_free_shell(). En un entorno arm64 de alta carga, la prueba pcrypt_aead01 en LTP puede provocar problemas de UAF (Use-After-Free) del sistema. Debido al extenso análisis de la llamada a la función pcrypt_aead01, describiré el escenario del problema usando un modelo simplificado: supongamos que hay un usuario de padata llamado `user_function` que cumple con el requisito de padata de llamar a `padata_free_shell` después de `serial()`. ha sido invocado, como se demuestra en el siguiente código: ```c struct request { struct padata_priv padata; finalización de la estructura *hecho; }; void paralelo(struct padata_priv *padata) { hacer_algo(); } void serial(struct padata_priv *padata) { solicitud de estructura *request = container_of(padata, solicitud de estructura, padata); completar(solicitud->hecho); } void user_function() { DECLARE_COMPLETION(hecho) padata->parallel = parallel; padata->serial = serial; padata_do_parallel(); wait_for_completion(&hecho); padata_free_shell(); } ``` En el archivo padata.c correspondiente, hay el siguiente código: ```c static void padata_serial_worker(struct work_struct *serial_work) { ... cnt = 0; while (!list_empty(&local_list)) { ... padata->serial(padata); cnt++; } local_bh_enable(); if (refcount_sub_and_test(cnt, &pd->refcnt)) padata_free_pd(pd); } ``` Debido a la alta carga del sistema y la acumulación de software no ejecutado en este momento, `local_bh_enable()` en padata tarda más de lo habitual en ejecutarse. Posteriormente, al acceder a `pd->refcnt`, `pd` ya ha sido liberado por `padata_free_shell()`, lo que genera un problema de UAF con `pd->refcnt`. La solución es sencilla: agregue `refcount_dec_and_test` antes de llamar a `padata_free_pd` en `padata_free_shell`.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-21 CVE Reserved
  • 2024-05-21 CVE Published
  • 2024-05-22 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 5.10.201
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.10.201"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 5.15.139
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.15.139"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 6.1.63
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.1.63"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 6.5.12
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.5.12"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 6.6.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.6.2"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.6 < 6.7
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 6.7"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.16.84
Search vendor "Linux" for product "Linux Kernel" and version "3.16.84"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.4.215
Search vendor "Linux" for product "Linux Kernel" and version "4.4.215"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.9.215
Search vendor "Linux" for product "Linux Kernel" and version "4.9.215"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.14.172
Search vendor "Linux" for product "Linux Kernel" and version "4.14.172"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.19.103
Search vendor "Linux" for product "Linux Kernel" and version "4.19.103"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.4.19
Search vendor "Linux" for product "Linux Kernel" and version "5.4.19"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
5.5.3
Search vendor "Linux" for product "Linux Kernel" and version "5.5.3"
en
Affected