CVE-2023-52468 - Fixing use-after-free vulnerability in the Linux kernel's class_register() function

Recently, a vulnerability has been resolved in the Linux kernel associated with use-after-free in the class_register() function. This issue could cause invalid access, potentially leading to crashes or other unexpected behavior.

Exploit Details

The problem is related to the lock_class_key still being registered and found in the lock_keys_hash hlist after subsys_private is freed in the error handler's path. This means that a task iterating over the lock_keys_hash later may cause use-after-free. The resolution involves unregistering the lock_class_key before kfree(cp).

In certain cases, a driver fails to kset_register due to the creation of duplicate filenames in the '/class/xxx' path. When KernelAddressSANitizer (KASAN) is enabled, you would see an invalid-access bug report that looks like:

BUG: KASAN: invalid-access in lockdep_register_key+x19c/x1bc
Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252
Pointer tag: [15], memory tag: [fe]

...
Memory state around the buggy address:
ffffff808b8c010: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a
ffffff808b8c020: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe
>ffffff808b8c030: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                     ^

KASAN reports invalid-access, not use-after-free, since CONFIG_KASAN_GENERIC is not set. In this case, modprobe is manipulating the corrupted lock_keys_hash hlist where lock_class_key had already been freed before.

This vulnerability can only occur if lockdep is enabled, which is not true for regular systems.

Original References

1. Linux Kernel Mailing List (LKML) - Patch Submission
2. Linux Kernel Git Repository - Commit

For users running a Linux kernel with lockdep enabled, it's highly recommended that they patch their systems as soon as possible to address this vulnerability, prevent potential crashes, and ensure system stability.

As always, it's essential to keep your operating system and software up-to-date and apply security updates when they become available. Remember that even though this specific vulnerability may not impact default Linux kernel configurations, many other security flaws are discovered and patched regularly. So, make sure to keep an eye on security advisories and news to stay protected.

Timeline

Published on: 02/26/2024 16:27:48 UTC
Last modified on: 04/17/2024 19:00:42 UTC