Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
prionPRIOn knowledge basePRION:CVE-2023-52562
HistoryMar 02, 2024 - 10:15 p.m.

Spoofing

2024-03-0222:15:00
PRIOn knowledge base
www.prio-n.com
5
linux kernel vuln
slab caches
list corruption
kmem cache destroy
module
rmmod time
kernel panic

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()

After the commit in Fixes:, if a module that created a slab cache does not
release all of its allocated objects before destroying the cache (at rmmod
time), we might end up releasing the kmem_cache object without removing it
from the slab_caches list thus corrupting the list as kmem_cache_destroy()
ignores the return value from shutdown_cache(), which in turn never removes
the kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails
to release all of the cache’s slabs.

This is easily observable on a kernel built with CONFIG_DEBUG_LIST=y
as after that ill release the system will immediately trip on list_add,
or list_del, assertions similar to the one shown below as soon as another
kmem_cache gets created, or destroyed:

[ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)
[ 1041.219165] ------------[ cut here ]------------
[ 1041.221517] kernel BUG at lib/list_debug.c:62!
[ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B W OE 6.5.0 #15
[ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
[ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0

Another quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,
is to set slub_debug to poison the released objects and then just run
cat /proc/slabinfo after removing the module that leaks slab objects,
in which case the kernel will panic:

[ 50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI
[ 50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15
[ 50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
[ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0

This patch fixes this issue by properly checking shutdown_cache()'s
return value before taking the kmem_cache_release() branch.

Related

debiancve 1
redhatcve 1
ubuntucve 1
cve 1
cvelist 1
redhat 3
nessus 4
debiancve
debiancve
CVE-2023-52562
2024-03-02 22:15:48
redhatcve
redhatcve
CVE-2023-52562
2024-03-04 17:25:39
ubuntucve
ubuntucve
CVE-2023-52562
2024-03-02 00:00:00
cve
cve
CVE-2023-52562
2024-03-02 22:15:48
cvelist
cvelist
CVE-2023-52562 mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
2024-03-02 21:59:35
redhat
redhat
(RHSA-2023:7549) Important: kernel security and bug fix update
2023-11-28 14:51:21
(RHSA-2023:7539) Important: kernel security, bug fix, and enhancement update
2023-11-28 14:45:13
(RHSA-2024:0448) Important: kernel security and bug fix update
2024-01-24 14:40:50
nessus
nessus
RHEL 8 : kernel (RHSA-2023:7549)
2023-11-28 00:00:00
RHEL 8 : kernel (RHSA-2023:7539)
2024-01-26 00:00:00
RHEL 9 : kernel (RHSA-2024:0448)
2024-01-25 00:00:00

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON
Related for PRION:CVE-2023-52562
debiancve1redhatcve1ubuntucve1cve1cvelist1redhat3nessus4