CVE-2023-54019

Destroying psi trigger in cgroupfilerelease causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroupfilerelease while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer:

doselect vfspoll dormdir cgrouprmdir kernfsdrainopenfiles cgroupfilerelease cgrouppressurerelease psitriggerdestroy wakeuppollfree(&t->eventwait) // vfspoll is unblocked synchronizercu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head

Patch [1] fixed this issue for epoll() case using wakeuppollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfsgenericpoll function when polling on cgroup-specific psi triggers. It internally uses kernfsopennode->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it.

[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in epremovewait_queue()")

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54019.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0e94682b73bfa6c44c98af7a26771c9c08c055d5

Fixed

92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a

Fixed

d124ab17024cc85a1079b7810a018a497ebc13da

Fixed

aff037078ecaecf34a7c2afab1341815f90fba5e

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.2

v5.2-rc1

v5.2-rc2

v5.2-rc3

v5.2-rc4

v5.2-rc5

v5.2-rc6

v5.2-rc7

v5.3

v5.3-rc1

v5.3-rc2

v5.3-rc3

v5.3-rc4

v5.3-rc5

v5.3-rc6

v5.3-rc7

v5.3-rc8

v5.4

v5.4-rc1

v5.4-rc2

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.5-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54019.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2.0

Fixed

6.1.42

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.4.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54019.json"