CVE-2023-52851
Severity CVSS v4.0:
Pending analysis
Type:
CWE-415
Double Free
Publication date:
21/05/2024
Last modified:
10/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF<br />
<br />
In the unlikely event that workqueue allocation fails and returns NULL in<br />
mlx5_mkey_cache_init(), delete the call to<br />
mlx5r_umr_resource_cleanup() (which frees the QP) in<br />
mlx5_ib_stage_post_ib_reg_umr_init(). This will avoid attempted double<br />
free of the same QP when __mlx5_ib_add() does its cleanup.<br />
<br />
Resolves a splat:<br />
<br />
Syzkaller reported a UAF in ib_destroy_qp_user<br />
<br />
workqueue: Failed to create a rescuer kthread for wq "mkey_cache": -EINTR<br />
infiniband mlx5_0: mlx5_mkey_cache_init:981:(pid 1642):<br />
failed to create work queue<br />
infiniband mlx5_0: mlx5_ib_stage_post_ib_reg_umr_init:4075:(pid 1642):<br />
mr cache init failed -12<br />
==================================================================<br />
BUG: KASAN: slab-use-after-free in ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)<br />
Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642<br />
<br />
Call Trace:<br />
<br />
kasan_report (mm/kasan/report.c:590)<br />
ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2073)<br />
mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)<br />
__mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4178)<br />
mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)<br />
...<br />
<br />
<br />
Allocated by task 1642:<br />
__kmalloc (./include/linux/kasan.h:198 mm/slab_common.c:1026<br />
mm/slab_common.c:1039)<br />
create_qp (./include/linux/slab.h:603 ./include/linux/slab.h:720<br />
./include/rdma/ib_verbs.h:2795 drivers/infiniband/core/verbs.c:1209)<br />
ib_create_qp_kernel (drivers/infiniband/core/verbs.c:1347)<br />
mlx5r_umr_resource_init (drivers/infiniband/hw/mlx5/umr.c:164)<br />
mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4070)<br />
__mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)<br />
mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)<br />
...<br />
<br />
Freed by task 1642:<br />
__kmem_cache_free (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822)<br />
ib_destroy_qp_user (drivers/infiniband/core/verbs.c:2112)<br />
mlx5r_umr_resource_cleanup (drivers/infiniband/hw/mlx5/umr.c:198)<br />
mlx5_ib_stage_post_ib_reg_umr_init (drivers/infiniband/hw/mlx5/main.c:4076<br />
drivers/infiniband/hw/mlx5/main.c:4065)<br />
__mlx5_ib_add (drivers/infiniband/hw/mlx5/main.c:4168)<br />
mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402)<br />
...
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19 (including) | 6.1.63 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.5.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6 (including) | 6.6.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2