CVE-2023-45898 - Understanding the Linux Kernel “es1” Use-After-Free Vulnerability in ext4 (fs/ext4/extents_status.c)

The Linux kernel is the backbone of almost every popular Linux distribution, powering servers, desktops, and even billions of Android devices. Security flaws in the kernel, like CVE-2023-45898, can have widespread effects. In this long read, we break down what this vulnerability is, show some code snippets, offer references, and provide a detailed explanation of how the exploit could work. All in easy-to-grasp language.

What is CVE-2023-45898?

In September 2023, a security flaw was discovered in the Linux kernel, specifically in its handling of the ext4 filesystem—the default for many Linux distributions. The bug, tracked as CVE-2023-45898, allows a use-after-free bug to occur in the fs/ext4/extents_status.c file, more specifically to the ext4_es_insert_extent function. This use-after-free is related to "es1", an extent status structure, leaving the kernel open to a potential privilege escalation or crash.

Affected versions: All Linux kernels before v6.5.4

What Is a Use-After-Free?

A use-after-free happens when a program continues to use a part of memory (like a pointer or object) after that memory has been returned (freed) to the system. In the Linux kernel, this can corrupt memory, crash the system, or let an attacker execute malicious code.

The Coding Problem: Where Is It?

The problematic code sits in fs/ext4/extents_status.c in the ext4 codebase. Let’s look at a simplified snippet illustrating what this bug looks like (not all variables and logic included for readability):

int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, ... ) {
    struct extent_status *es1 = NULL, *es2;
    // ...
    es1 = ext4_es_alloc_extent(...);

    if (!es1)
        return -ENOMEM;

    // Some operations, insert es1 into a tree or list
    rb_insert(some_tree, es1);

    // Potentially, under certain circumstances, es1 can be freed:
    if (es1_should_be_removed)
        ext4_es_free_extent(es1); // <-- es1 is freed here

    // Some more logic
    // OOPS: es1 might still be used or referenced here!
    do_something(es1);
}

The key problem is that under certain conditions, the structure es1 gets freed—meaning it should not be accessed anymore. But the function doesn’t stop using it, maybe logging or updating it further. At this point, es1 could point to memory now used by some other part of the kernel, which is a classic use-after-free.

Reference Links

- CVE Details: CVE-2023-45898 - NVD
- Official Patch: Linux commit 6a02414dbb31 (kernel git)
- LKML report: LKML.org Kernel Mailing List
- Red Hat Issue Tracker: Bugzilla 2242364

Potentially execute arbitrary code in kernel space

In most cases, this flaw requires local access (you need to run code on the machine). However, in hosting, multi-user, or cloud environments, any local kernel bug is a big deal.

How Could an Exploit Look?

CVE-2023-45898 is not trivial to exploit, but here’s an example of how someone might approach it in a lab:

1. Fill up extent status structures: Use a carefully crafted filesystem or write pattern that forces lots of extents to be created and removed.
2. Trigger freeing of es1: Use a pattern that will make ext4_es_insert_extent free an extent status (es1) but then keep using it.
3. Heap Spray: Fill kernel memory with attacker-controlled data right after freeing, hoping the kernel will treat that data as a valid extent.
4. Corrupt: When es1 is used again, it could point to attacker data, allowing controlled corruption or even code execution.

Very simplified, the pseudo-logical flow looks like this

1. Create ext4 filesystem or file.
2. Write lots of data in patterns to fill extent max size.
3. Rapidly delete and rewrite, causing extents to be recycled and freed.
4. Use user-controlled data (through mmap, or writing to special files) to fill up freed memory slots.
5. Wait for kernel to act on corrupted extent and gain control.

Note: As of now, there isn’t a public exploit, but the pattern above is a typical template.

Fixes and Workarounds

- Update Kernel: Upgrade to Linux kernel 6.5.4 or later. The fix is simply a change in when and how the memory is freed and what is referenced after.
- Minimal Mitigation: Restrict local user access, especially unprivileged shell accounts, until upgraded.

Final Thoughts

CVE-2023-45898 is a reminder that filesystem code, even after years of testing, can still harbor dangerous memory bugs. If you rely on Linux for hosting, desktops, or especially multi-user environments, update as soon as possible.

Keep learning:

Test upgrades on non-critical machines first.

Did you enjoy this breakdown? Let us know if you want more plain-English guides about recent Linux CVEs!

Timeline

Published on: 10/16/2023 03:15:09 UTC
Last modified on: 11/07/2023 04:21:49 UTC