In the Linux kernel, the following vulnerability has been resolved: binder:
fix race between mmput() and do_exit() Task A calls
binder_update_page_range() to allocate and insert pages on a remote address
space from Task B. For this, Task A pins the remote mm via mmget_not_zero()
first. This can race with Task B do_exit() and the final mmput() refcount
decrement will come from Task A. Task A | Task B
------------------±----------------- mmget_not_zero() | | do_exit() |
exit_mm() | mmput() mmput() | exit_mmap() | remove_vma() | fput() | In this
case, the work of ____fput() from Task B is queued up in Task A as
TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work
gets executed. However, Task A instead sleep, waiting for a reply from Task
B that never comes (it’s dead). This means the binder_deferred_release() is
blocked until an unrelated binder event forces Task A to go back to
userspace. All the associated death notifications will also be delayed
until then. In order to fix this use mmput_async() that will schedule the
work in the corresponding mm->async_put_work WQ instead of Task A.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-176.196 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-102.112 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1122.132 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1057.63 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1057.63~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < 5.4.0-1122.132~18.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1127.134 | UNKNOWN |
git.kernel.org/linus/9a9ab0d963621d9d12199df9817e66982582d5a5 (6.8-rc1)
git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097
git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3
git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e
git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01
git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918
git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608
git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9
git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5
launchpad.net/bugs/cve/CVE-2023-52609
nvd.nist.gov/vuln/detail/CVE-2023-52609
security-tracker.debian.org/tracker/CVE-2023-52609
ubuntu.com/security/notices/USN-6725-1
ubuntu.com/security/notices/USN-6725-2
ubuntu.com/security/notices/USN-6726-1
ubuntu.com/security/notices/USN-6726-2
ubuntu.com/security/notices/USN-6726-3
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2023-52609