CVE-2024-43853

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup/cpuset: Prevent UAF in proc_cpuset_show()<br /> <br /> An UAF can happen when /proc/cpuset is read as reported in [1].<br /> <br /> This can be reproduced by the following methods:<br /> 1.add an mdelay(1000) before acquiring the cgroup_lock In the<br /> cgroup_path_ns function.<br /> 2.$cat /proc//cpuset repeatly.<br /> 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/<br /> $umount /sys/fs/cgroup/cpuset/ repeatly.<br /> <br /> The race that cause this bug can be shown as below:<br /> <br /> (umount) | (cat /proc//cpuset)<br /> css_release | proc_cpuset_show<br /> css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id);<br /> css_free_rwork_fn | cgroup_path_ns(css-&gt;cgroup, ...);<br /> cgroup_destroy_root | mutex_lock(&amp;cgroup_mutex);<br /> rebind_subsystems |<br /> cgroup_free_root |<br /> | // cgrp was freed, UAF<br /> | cgroup_path_ns_locked(cgrp,..);<br /> <br /> When the cpuset is initialized, the root node top_cpuset.css.cgrp<br /> will point to &amp;cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will<br /> allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated<br /> &amp;cgroup_root.cgrp. When the umount operation is executed,<br /> top_cpuset.css.cgrp will be rebound to &amp;cgrp_dfl_root.cgrp.<br /> <br /> The problem is that when rebinding to cgrp_dfl_root, there are cases<br /> where the cgroup_root allocated by setting up the root for cgroup v1<br /> is cached. This could lead to a Use-After-Free (UAF) if it is<br /> subsequently freed. The descendant cgroups of cgroup v1 can only be<br /> freed after the css is released. However, the css of the root will never<br /> be released, yet the cgroup_root should be freed when it is unmounted.<br /> This means that obtaining a reference to the css of the root does<br /> not guarantee that css.cgrp-&gt;root will not be freed.<br /> <br /> Fix this problem by using rcu_read_lock in proc_cpuset_show().<br /> As cgroup_root is kfree_rcu after commit d23b5c577715<br /> ("cgroup: Make operations on the cgroup root_list RCU safe"),<br /> css-&gt;cgroup won&amp;#39;t be freed during the critical section.<br /> To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to<br /> replace task_get_css with task_css.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd