Ubuntu.comUB:CVE-2023-52562CVE-2023-52562
In the Linux kernel, the following vulnerability has been resolved:
mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
After the commit in Fixes:, if a module that created a slab cache does not
release all of its allocated objects before destroying the cache (at rmmod
time), we might end up releasing the kmem_cache object without removing it
from the slab_caches list thus corrupting the list as kmem_cache_destroy()
ignores the return value from shutdown_cache(), which in turn never removes
the kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails
to release all of the cache’s slabs. This is easily observable on a kernel
built with CONFIG_DEBUG_LIST=y as after that ill release the system will
immediately trip on list_add, or list_del, assertions similar to the one
shown below as soon as another kmem_cache gets created, or destroyed: [
1041.213632] list_del corruption. next->prev should be ffff89f596fb5768,
but was 52f1e5016aeee75d. (next=ffff89f595a1b268) [ 1041.219165]
------------[ cut here ]------------ [ 1041.221517] kernel BUG at
lib/list_debug.c:62! [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP
PTI [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G B
W OE 6.5.0 #15 [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9,
2009), BIOS edk2-20230524-3.fc37 05/24/2023 [ 1041.231212] RIP:
0010:__list_del_entry_valid+0xae/0xb0 Another quick way to trigger this
issue, in a kernel with CONFIG_SLUB=y, is to set slub_debug to poison the
released objects and then just run cat /proc/slabinfo after removing the
module that leaks slab objects, in which case the kernel will panic: [
50.954843] general protection fault, probably for non-canonical address
0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI [ 50.961545] CPU: 2 PID: 1495
Comm: cat Kdump: loaded Tainted: G B W OE 6.5.0 #15 [ 50.966808] Hardware
name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37
05/24/2023 [ 50.972663] RIP: 0010:get_slabinfo+0x42/0xf0 This patch fixes
this issue by properly checking shutdown_cache()'s return value before
taking the kmem_cache_release() branch.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 23.10 | noarch | linux | < 6.5.0-17.17 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1013.13 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws-6.5 | < 6.5.0-1013.13~22.04.1 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-azure | < 6.5.0-1013.13 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1013.13~22.04.1 | UNKNOWN |
| ubuntu | 23.10 | noarch | linux-gcp | < 6.5.0-1013.13 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-gcp-6.5 | < 6.5.0-1013.13~22.04.1 | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-gke | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-hwe-6.5 | < 6.5.0-17.17~22.04.1 | UNKNOWN |
| ubuntu | 24.04 | noarch | linux-ibm | < 6.6.0-1001.1 | UNKNOWN |
Related
