CVE-2023-52854

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: Fix refcnt handling in padata_free_shell()<br /> <br /> In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead<br /> to system UAF (Use-After-Free) issues. Due to the lengthy analysis of<br /> the pcrypt_aead01 function call, I&amp;#39;ll describe the problem scenario<br /> using a simplified model:<br /> <br /> Suppose there&amp;#39;s a user of padata named `user_function` that adheres to<br /> the padata requirement of calling `padata_free_shell` after `serial()`<br /> has been invoked, as demonstrated in the following code:<br /> <br /> ```c<br /> struct request {<br /> struct padata_priv padata;<br /> struct completion *done;<br /> };<br /> <br /> void parallel(struct padata_priv *padata) {<br /> do_something();<br /> }<br /> <br /> void serial(struct padata_priv *padata) {<br /> struct request *request = container_of(padata,<br /> struct request,<br /> padata);<br /> complete(request-&gt;done);<br /> }<br /> <br /> void user_function() {<br /> DECLARE_COMPLETION(done)<br /> padata-&gt;parallel = parallel;<br /> padata-&gt;serial = serial;<br /> padata_do_parallel();<br /> wait_for_completion(&amp;done);<br /> padata_free_shell();<br /> }<br /> ```<br /> <br /> In the corresponding padata.c file, there&amp;#39;s the following code:<br /> <br /> ```c<br /> static void padata_serial_worker(struct work_struct *serial_work) {<br /> ...<br /> cnt = 0;<br /> <br /> while (!list_empty(&amp;local_list)) {<br /> ...<br /> padata-&gt;serial(padata);<br /> cnt++;<br /> }<br /> <br /> local_bh_enable();<br /> <br /> if (refcount_sub_and_test(cnt, &amp;pd-&gt;refcnt))<br /> padata_free_pd(pd);<br /> }<br /> ```<br /> <br /> Because of the high system load and the accumulation of unexecuted<br /> softirq at this moment, `local_bh_enable()` in padata takes longer<br /> to execute than usual. Subsequently, when accessing `pd-&gt;refcnt`,<br /> `pd` has already been released by `padata_free_shell()`, resulting<br /> in a UAF issue with `pd-&gt;refcnt`.<br /> <br /> The fix is straightforward: add `refcount_dec_and_test` before calling<br /> `padata_free_pd` in `padata_free_shell`.