cve/published/2023/CVE-2023-52707.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52707: sched/psi: Fix use-after-free in ep_remove_wait_queue()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched/psi: Fix use-after-free in ep_remove_wait_queue()

 If a non-root cgroup gets removed when there is a thread that registered
 trigger and is polling on a pressure file within the cgroup, the polling
 waitqueue gets freed in the following path:

  do_rmdir
    cgroup_rmdir
      kernfs_drain_open_files
        cgroup_file_release
          cgroup_pressure_release
            psi_trigger_destroy

 However, the polling thread still has a reference to the pressure file and
 will access the freed waitqueue when the file is closed or upon exit:

  fput
    ep_eventpoll_release
      ep_free
        ep_remove_wait_queue
          remove_wait_queue

 This results in use-after-free as pasted below.

 The fundamental problem here is that cgroup_file_release() (and
 consequently waitqueue's lifetime) is not tied to the file's real lifetime.
 Using wake_up_pollfree() here might be less than ideal, but it is in line
 with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()")
 since the waitqueue's lifetime is not tied to file's one and can be
 considered as another special case. While this would be fixable by somehow
 making cgroup_file_release() be tied to the fput(), it would require
 sizable refactoring at cgroups or higher layer which might be more
 justifiable if we identify more cases like this.

   BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0
   Write of size 4 at addr ffff88810e625328 by task a.out/4404

 	CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38
 	Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017
 	Call Trace:
 	<TASK>
 	dump_stack_lvl+0x73/0xa0
 	print_report+0x16c/0x4e0
 	kasan_report+0xc3/0xf0
 	kasan_check_range+0x2d2/0x310
 	_raw_spin_lock_irqsave+0x60/0xc0
 	remove_wait_queue+0x1a/0xa0
 	ep_free+0x12c/0x170
 	ep_eventpoll_release+0x26/0x30
 	__fput+0x202/0x400
 	task_work_run+0x11d/0x170
 	do_exit+0x495/0x1130
 	do_group_exit+0x100/0x100
 	get_signal+0xd67/0xde0
 	arch_do_signal_or_restart+0x2a/0x2b0
 	exit_to_user_mode_prepare+0x94/0x100
 	syscall_exit_to_user_mode+0x20/0x40
 	do_syscall_64+0x52/0x90
 	entry_SYSCALL_64_after_hwframe+0x63/0xcd
 	</TASK>

  Allocated by task 4404:

 	kasan_set_track+0x3d/0x60
 	__kasan_kmalloc+0x85/0x90
 	psi_trigger_create+0x113/0x3e0
 	pressure_write+0x146/0x2e0
 	cgroup_file_write+0x11c/0x250
 	kernfs_fop_write_iter+0x186/0x220
 	vfs_write+0x3d8/0x5c0
 	ksys_write+0x90/0x110
 	do_syscall_64+0x43/0x90
 	entry_SYSCALL_64_after_hwframe+0x63/0xcd

  Freed by task 4407:

 	kasan_set_track+0x3d/0x60
 	kasan_save_free_info+0x27/0x40
 	____kasan_slab_free+0x11d/0x170
 	slab_free_freelist_hook+0x87/0x150
 	__kmem_cache_free+0xcb/0x180
 	psi_trigger_destroy+0x2e8/0x310
 	cgroup_file_release+0x4f/0xb0
 	kernfs_drain_open_files+0x165/0x1f0
 	kernfs_drain+0x162/0x1a0
 	__kernfs_remove+0x1fb/0x310
 	kernfs_remove_by_name_ns+0x95/0xe0
 	cgroup_addrm_files+0x67f/0x700
 	cgroup_destroy_locked+0x283/0x3c0
 	cgroup_rmdir+0x29/0x100
 	kernfs_iop_rmdir+0xd1/0x140
 	vfs_rmdir+0xfe/0x240
 	do_rmdir+0x13d/0x280
 	__x64_sys_rmdir+0x2c/0x30
 	do_syscall_64+0x43/0x90
 	entry_SYSCALL_64_after_hwframe+0x63/0xcd

 The Linux kernel CVE team has assigned CVE-2023-52707 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.4.232 with commit 7caeb5457bd01ccba0df1d6f4872f20d28e50b38
 	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.10.169 with commit ec9c7aa08819f976b2492fa63c41b5712d2924b5
 	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.15.95 with commit cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a
 	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 6.1.13 with commit c6879a4dcefe92d870ab68cabaa9caeda4f2af5a
 	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 6.2 with commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52707
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/sched/psi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38
 	https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5
 	https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a
 	https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a
 	https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52707: sched/psi: Fix use-after-free in ep_remove_wait_queue()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched/psi: Fix use-after-free in ep_remove_wait_queue()

	If a non-root cgroup gets removed when there is a thread that registered
	trigger and is polling on a pressure file within the cgroup, the polling
	waitqueue gets freed in the following path:

	do_rmdir
	cgroup_rmdir
	kernfs_drain_open_files
	cgroup_file_release
	cgroup_pressure_release
	psi_trigger_destroy

	However, the polling thread still has a reference to the pressure file and
	will access the freed waitqueue when the file is closed or upon exit:

	fput
	ep_eventpoll_release
	ep_free
	ep_remove_wait_queue
	remove_wait_queue

	This results in use-after-free as pasted below.

	The fundamental problem here is that cgroup_file_release() (and
	consequently waitqueue's lifetime) is not tied to the file's real lifetime.
	Using wake_up_pollfree() here might be less than ideal, but it is in line
	with the comment at commit 42288cb44c4b ("wait: add wake_up_pollfree()")
	since the waitqueue's lifetime is not tied to file's one and can be
	considered as another special case. While this would be fixable by somehow
	making cgroup_file_release() be tied to the fput(), it would require
	sizable refactoring at cgroups or higher layer which might be more
	justifiable if we identify more cases like this.

	BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x60/0xc0
	Write of size 4 at addr ffff88810e625328 by task a.out/4404

	CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38
	Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017
	Call Trace:
	<TASK>
	dump_stack_lvl+0x73/0xa0
	print_report+0x16c/0x4e0
	kasan_report+0xc3/0xf0
	kasan_check_range+0x2d2/0x310
	_raw_spin_lock_irqsave+0x60/0xc0
	remove_wait_queue+0x1a/0xa0
	ep_free+0x12c/0x170
	ep_eventpoll_release+0x26/0x30
	__fput+0x202/0x400
	task_work_run+0x11d/0x170
	do_exit+0x495/0x1130
	do_group_exit+0x100/0x100
	get_signal+0xd67/0xde0
	arch_do_signal_or_restart+0x2a/0x2b0
	exit_to_user_mode_prepare+0x94/0x100
	syscall_exit_to_user_mode+0x20/0x40
	do_syscall_64+0x52/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	</TASK>

	Allocated by task 4404:

	kasan_set_track+0x3d/0x60
	__kasan_kmalloc+0x85/0x90
	psi_trigger_create+0x113/0x3e0
	pressure_write+0x146/0x2e0
	cgroup_file_write+0x11c/0x250
	kernfs_fop_write_iter+0x186/0x220
	vfs_write+0x3d8/0x5c0
	ksys_write+0x90/0x110
	do_syscall_64+0x43/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	Freed by task 4407:

	kasan_set_track+0x3d/0x60
	kasan_save_free_info+0x27/0x40
	____kasan_slab_free+0x11d/0x170
	slab_free_freelist_hook+0x87/0x150
	__kmem_cache_free+0xcb/0x180
	psi_trigger_destroy+0x2e8/0x310
	cgroup_file_release+0x4f/0xb0
	kernfs_drain_open_files+0x165/0x1f0
	kernfs_drain+0x162/0x1a0
	__kernfs_remove+0x1fb/0x310
	kernfs_remove_by_name_ns+0x95/0xe0
	cgroup_addrm_files+0x67f/0x700
	cgroup_destroy_locked+0x283/0x3c0
	cgroup_rmdir+0x29/0x100
	kernfs_iop_rmdir+0xd1/0x140
	vfs_rmdir+0xfe/0x240
	do_rmdir+0x13d/0x280
	__x64_sys_rmdir+0x2c/0x30
	do_syscall_64+0x43/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	The Linux kernel CVE team has assigned CVE-2023-52707 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.4.232 with commit 7caeb5457bd01ccba0df1d6f4872f20d28e50b38
	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.10.169 with commit ec9c7aa08819f976b2492fa63c41b5712d2924b5
	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 5.15.95 with commit cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a
	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 6.1.13 with commit c6879a4dcefe92d870ab68cabaa9caeda4f2af5a
	Issue introduced in 5.2 with commit 0e94682b73bfa6c44c98af7a26771c9c08c055d5 and fixed in 6.2 with commit c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52707
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/sched/psi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7caeb5457bd01ccba0df1d6f4872f20d28e50b38
	https://git.kernel.org/stable/c/ec9c7aa08819f976b2492fa63c41b5712d2924b5
	https://git.kernel.org/stable/c/cca2b3feb70170ef6f0fbc4b4d91eea235a2b73a
	https://git.kernel.org/stable/c/c6879a4dcefe92d870ab68cabaa9caeda4f2af5a
	https://git.kernel.org/stable/c/c2dbe32d5db5c4ead121cf86dabd5ab691fb47fe