CVE-2023-52851
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52851
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52851.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-52851
- Related
- Published
- 2024-05-21T16:15:22Z
- Modified
- 2024-09-18T03:24:39.632847Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
In the unlikely event that workqueue allocation fails and returns NULL in mlx5mkeycacheinit(), delete the call to mlx5rumrresourcecleanup() (which frees the QP) in mlx5ibstagepostibregumrinit(). This will avoid attempted double free of the same QP when _mlx5ibadd() does its cleanup.
Resolves a splat:
Syzkaller reported a UAF in ibdestroyqp_user
workqueue: Failed to create a rescuer kthread for wq "mkeycache": -EINTR infiniband mlx50: mlx5mkeycacheinit:981:(pid 1642): failed to create work queue infiniband mlx50: mlx5ibstagepostibregumrinit:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642
Call Trace: <TASK> kasanreport (mm/kasan/report.c:590) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK>
Allocated by task 1642: _kmalloc (./include/linux/kasan.h:198 mm/slabcommon.c:1026 mm/slabcommon.c:1039) createqp (./include/linux/slab.h:603 ./include/linux/slab.h:720 ./include/rdma/ibverbs.h:2795 drivers/infiniband/core/verbs.c:1209) ibcreateqpkernel (drivers/infiniband/core/verbs.c:1347) mlx5rumrresourceinit (drivers/infiniband/hw/mlx5/umr.c:164) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4070) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...
Freed by task 1642: _kmemcachefree (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2112) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4076 drivers/infiniband/hw/mlx5/main.c:4065) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...
- References
-
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2
- https://security-tracker.debian.org/tracker/CVE-2023-52851
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.64-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.6.8-1