CVE-2024-43853
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-43853
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43853.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-43853
- Related
- Published
- 2024-08-17T10:15:10Z
- Modified
- 2024-09-18T03:26:35.844924Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cgroup/cpuset: Prevent UAF in proccpusetshow()
An UAF can happen when /proc/cpuset is read as reported in [1].
This can be reproduced by the following methods: 1.add an mdelay(1000) before acquiring the cgrouplock In the cgrouppath_ns function. 2.$cat /proc/<pid>/cpuset repeatly. 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ $umount /sys/fs/cgroup/cpuset/ repeatly.
The race that cause this bug can be shown as below:
(umount) | (cat /proc/<pid>/cpuset) cssrelease | proccpusetshow cssreleaseworkfn | css = taskgetcss(tsk, cpusetcgrpid); cssfreerworkfn | cgrouppathns(css->cgroup, ...); cgroupdestroyroot | mutexlock(&cgroupmutex); rebindsubsystems | cgroupfreeroot | | // cgrp was freed, UAF | cgrouppathns_locked(cgrp,..);
When the cpuset is initialized, the root node topcpuset.css.cgrp will point to &cgrpdflroot.cgrp. In cgroup v1, the mount operation will allocate cgrouproot, and topcpuset.css.cgrp will point to the allocated &cgrouproot.cgrp. When the umount operation is executed, topcpuset.css.cgrp will be rebound to &cgrpdfl_root.cgrp.
The problem is that when rebinding to cgrpdflroot, there are cases where the cgrouproot allocated by setting up the root for cgroup v1 is cached. This could lead to a Use-After-Free (UAF) if it is subsequently freed. The descendant cgroups of cgroup v1 can only be freed after the css is released. However, the css of the root will never be released, yet the cgrouproot should be freed when it is unmounted. This means that obtaining a reference to the css of the root does not guarantee that css.cgrp->root will not be freed.
Fix this problem by using rcureadlock in proccpusetshow(). As cgrouproot is kfreercu after commit d23b5c577715 ("cgroup: Make operations on the cgroup rootlist RCU safe"), css->cgroup won't be freed during the critical section. To call cgrouppathnslocked, csssetlock is needed, so it is safe to replace taskgetcss with task_css.
[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
- References
-
- https://git.kernel.org/stable/c/1be59c97c83ccd67a519d8a49486b3a8a73ca28a
- https://git.kernel.org/stable/c/29a8d4e02fd4840028c38ceb1536cc8f82a257d4
- https://git.kernel.org/stable/c/29ac1d238b3bf126af36037df80d7ecc4822341e
- https://git.kernel.org/stable/c/96226fbed566f3f686f53a489a29846f2d538080
- https://git.kernel.org/stable/c/10aeaa47e4aa2432f29b3e5376df96d7dac5537a
- https://git.kernel.org/stable/c/27d6dbdc6485d68075a0ebf8544d6425c1ed84bb
- https://git.kernel.org/stable/c/4e8d6ac8fc9f843e940ab7389db8136634e07989
- https://git.kernel.org/stable/c/688325078a8b5badd6e07ae22b27cd04e9947aec
- https://security-tracker.debian.org/tracker/CVE-2024-43853
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.106-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.10.3-1