{
  "threat_severity" : "Moderate",
  "public_date" : "2024-02-20T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: binder: fix use-after-free in shinker's callback",
    "id" : "2265273",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265273"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbinder: fix use-after-free in shinker's callback\nThe mmap read lock is used during the shrinker's callback, which means\nthat using alloc->vma pointer isn't safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker's debug sysfs. The\nfollowing KASAN report confirms the UAF:\n==================================================================\nBUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\nRead of size 8 at addr ffff356ed50e50f0 by task bash/478\nCPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\nHardware name: linux,dummy-virt (DT)\nCall trace:\nzap_page_range_single+0x470/0x4b8\nbinder_alloc_free_page+0x608/0xadc\n__list_lru_walk_one+0x130/0x3b0\nlist_lru_walk_node+0xc4/0x22c\nbinder_shrink_scan+0x108/0x1dc\nshrinker_debugfs_scan_write+0x2b4/0x500\nfull_proxy_write+0xd4/0x140\nvfs_write+0x1ac/0x758\nksys_write+0xf0/0x1dc\n__arm64_sys_write+0x6c/0x9c\nAllocated by task 492:\nkmem_cache_alloc+0x130/0x368\nvm_area_alloc+0x2c/0x190\nmmap_region+0x258/0x18bc\ndo_mmap+0x694/0xa60\nvm_mmap_pgoff+0x170/0x29c\nksys_mmap_pgoff+0x290/0x3a0\n__arm64_sys_mmap+0xcc/0x144\nFreed by task 491:\nkmem_cache_free+0x17c/0x3c8\nvm_area_free_rcu_cb+0x74/0x98\nrcu_core+0xa38/0x26d4\nrcu_core_si+0x10/0x1c\n__do_softirq+0x2fc/0xd24\nLast potentially related work creation:\n__call_rcu_common.constprop.0+0x6c/0xba0\ncall_rcu+0x10/0x1c\nvm_area_free+0x18/0x24\nremove_vma+0xe4/0x118\ndo_vmi_align_munmap.isra.0+0x718/0xb5c\ndo_vmi_munmap+0xdc/0x1fc\n__vm_munmap+0x10c/0x278\n__arm64_sys_munmap+0x58/0x7c\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.", "A flaw was found in the shinker's callback in the Linux Kernel. A use-after-free memory flaw in the shinker's callback functionality allows a local user to crash or escalate their privileges on the system." ],
  "statement" : "The bug actual only for Android OS. For the Red Hat Enterprise Linux (or Fedora) it is not affected.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52438\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52438\nhttps://lore.kernel.org/linux-cve-announce/2024022017-slit-wish-e5d7@gregkh/T/#u" ],
  "name" : "CVE-2023-52438",
  "csaw" : false
}