CVE-2023-52851

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52851
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52851.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52851
Related
Published
2024-05-21T16:15:22Z
Modified
2024-09-18T03:24:39.632847Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF

In the unlikely event that workqueue allocation fails and returns NULL in mlx5mkeycacheinit(), delete the call to mlx5rumrresourcecleanup() (which frees the QP) in mlx5ibstagepostibregumrinit(). This will avoid attempted double free of the same QP when _mlx5ibadd() does its cleanup.

Resolves a splat:

Syzkaller reported a UAF in ibdestroyqp_user

workqueue: Failed to create a rescuer kthread for wq "mkeycache": -EINTR infiniband mlx50: mlx5mkeycacheinit:981:(pid 1642): failed to create work queue infiniband mlx50: mlx5ibstagepostibregumrinit:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642

Call Trace: <TASK> kasanreport (mm/kasan/report.c:590) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK>

Allocated by task 1642: _kmalloc (./include/linux/kasan.h:198 mm/slabcommon.c:1026 mm/slabcommon.c:1039) createqp (./include/linux/slab.h:603 ./include/linux/slab.h:720 ./include/rdma/ibverbs.h:2795 drivers/infiniband/core/verbs.c:1209) ibcreateqpkernel (drivers/infiniband/core/verbs.c:1347) mlx5rumrresourceinit (drivers/infiniband/hw/mlx5/umr.c:164) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4070) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...

Freed by task 1642: _kmemcachefree (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2112) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4076 drivers/infiniband/hw/mlx5/main.c:4065) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.64-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}