CVE-2023-52438

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> binder: fix use-after-free in shinker&amp;#39;s callback<br /> <br /> The mmap read lock is used during the shrinker&amp;#39;s callback, which means<br /> that using alloc-&gt;vma pointer isn&amp;#39;t safe as it can race with munmap().<br /> As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in<br /> munmap") the mmap lock is downgraded after the vma has been isolated.<br /> <br /> I was able to reproduce this issue by manually adding some delays and<br /> triggering page reclaiming through the shrinker&amp;#39;s debug sysfs. The<br /> following KASAN report confirms the UAF:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8<br /> Read of size 8 at addr ffff356ed50e50f0 by task bash/478<br /> <br /> CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> zap_page_range_single+0x470/0x4b8<br /> binder_alloc_free_page+0x608/0xadc<br /> __list_lru_walk_one+0x130/0x3b0<br /> list_lru_walk_node+0xc4/0x22c<br /> binder_shrink_scan+0x108/0x1dc<br /> shrinker_debugfs_scan_write+0x2b4/0x500<br /> full_proxy_write+0xd4/0x140<br /> vfs_write+0x1ac/0x758<br /> ksys_write+0xf0/0x1dc<br /> __arm64_sys_write+0x6c/0x9c<br /> <br /> Allocated by task 492:<br /> kmem_cache_alloc+0x130/0x368<br /> vm_area_alloc+0x2c/0x190<br /> mmap_region+0x258/0x18bc<br /> do_mmap+0x694/0xa60<br /> vm_mmap_pgoff+0x170/0x29c<br /> ksys_mmap_pgoff+0x290/0x3a0<br /> __arm64_sys_mmap+0xcc/0x144<br /> <br /> Freed by task 491:<br /> kmem_cache_free+0x17c/0x3c8<br /> vm_area_free_rcu_cb+0x74/0x98<br /> rcu_core+0xa38/0x26d4<br /> rcu_core_si+0x10/0x1c<br /> __do_softirq+0x2fc/0xd24<br /> <br /> Last potentially related work creation:<br /> __call_rcu_common.constprop.0+0x6c/0xba0<br /> call_rcu+0x10/0x1c<br /> vm_area_free+0x18/0x24<br /> remove_vma+0xe4/0x118<br /> do_vmi_align_munmap.isra.0+0x718/0xb5c<br /> do_vmi_munmap+0xdc/0x1fc<br /> __vm_munmap+0x10c/0x278<br /> __arm64_sys_munmap+0x58/0x7c<br /> <br /> Fix this issue by performing instead a vma_lookup() which will fail to<br /> find the vma that was isolated before the mmap lock downgrade. Note that<br /> this option has better performance than upgrading to a mmap write lock<br /> which would increase contention. Plus, mmap_write_trylock() has been<br /> recently removed anyway.