Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2023-52609

Disclosure Date: March 18, 2024 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

binder: fix race between mmput() and do_exit()

Task A calls binder_update_page_range() to allocate and insert pages on
a remote address space from Task B. For this, Task A pins the remote mm
via mmget_not_zero() first. This can race with Task B do_exit() and the
final mmput() refcount decrement will come from Task A.

Task A | Task B
—————————+—————————
mmget_not_zero() |

                |  do_exit()
                |    exit_mm()
                |      mmput()

mmput() |

exit_mmap()     |
  remove_vma()  |
    fput()      |

In this case, the work of ____fput() from Task B is queued up in Task A
as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup
work gets executed. However, Task A instead sleep, waiting for a reply
from Task B that never comes (it’s dead).

This means the binder_deferred_release() is blocked until an unrelated
binder event forces Task A to go back to userspace. All the associated
death notifications will also be delayed until then.

In order to fix this use mmput_async() that will schedule the work in
the corresponding mm->async_put_work WQ instead of Task A.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Linux

Products

Linux

References

Canonical

CVE-2023-52609 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52609)

Miscellaneous

https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608

https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097

https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918

https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9

https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3

https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e

https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01

https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5

https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Rapid7

Technical Analysis