CVE-2023-52609
In the Linux kernel, the following vulnerability has been resolved:
binder: fix race between mmput() and do_exit()
Task A calls binder_update_page_range() to allocate and insert pages on
a remote address space from Task B. For this, Task A pins the remote mm
via mmget_not_zero() first. This can race with Task B do_exit() and the
final mmput() refcount decrement will come from Task A.
| Task A | Task B |
|---|---|
| mmget_not_zero() | |
| do_exit() | |
| exit_mm() | |
| mmput() | |
| mmput() | |
| exit_mmap() | |
| remove_vma() | |
| fput() |
In this case, the work of ____fput() from Task B is queued up in Task A
as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup
work gets executed. However, Task A instead sleep, waiting for a reply
from Task B that never comes (it's dead).
This means the binder_deferred_release() is blocked until an unrelated
binder event forces Task A to go back to userspace. All the associated
death notifications will also be delayed until then.
In order to fix this use mmput_async() that will schedule the work in
the corresponding mm->async_put_work WQ instead of Task A.
- CVE Status
- PUBLISHED
- NVD Status
- Awaiting Analysis
- CNA
- kernel.org
- Published Date
-
2024-03-18 11:15:07
(6 months ago) - Updated Date
-
2024-06-27 12:15:15
(2 months ago)