CVE - CVE-2023-52609

CVE-ID
CVE-2023-52609	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A \| Task B ------------------+------------------ mmget_not_zero() \| \| do_exit() \| exit_mm() \| mmput() mmput() \| exit_mmap() \| remove_vma() \| fput() \| In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 URL:https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 MISC:https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 URL:https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 MISC:https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e URL:https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e MISC:https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 URL:https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 MISC:https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 URL:https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 MISC:https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 URL:https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 MISC:https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 URL:https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 MISC:https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 URL:https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5
Assigning CNA
kernel.org
Date Record Created
20240306	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240306)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)