DEBIAN-CVE-2023-52707

In the Linux kernel, the following vulnerability has been resolved: sched/psi: Fix use-after-free in epremovewaitqueue() If a non-root cgroup gets removed when there is a thread that registered trigger and is polling on a pressure file within the cgroup, the polling waitqueue gets freed in the following path: dormdir cgrouprmdir kernfsdrainopenfiles cgroupfilerelease cgrouppressurerelease psitriggerdestroy However, the polling thread still has a reference to the pressure file and will access the freed waitqueue when the file is closed or upon exit: fput epeventpollrelease epfree epremovewaitqueue removewaitqueue This results in use-after-free as pasted below. The fundamental problem here is that cgroupfilerelease() (and consequently waitqueue's lifetime) is not tied to the file's real lifetime. Using wakeuppollfree() here might be less than ideal, but it is in line with the comment at commit 42288cb44c4b ("wait: add wakeuppollfree()") since the waitqueue's lifetime is not tied to file's one and can be considered as another special case. While this would be fixable by somehow making cgroupfilerelease() be tied to the fput(), it would require sizable refactoring at cgroups or higher layer which might be more justifiable if we identify more cases like this. BUG: KASAN: use-after-free in rawspinlockirqsave+0x60/0xc0 Write of size 4 at addr ffff88810e625328 by task a.out/4404 CPU: 19 PID: 4404 Comm: a.out Not tainted 6.2.0-rc6 #38 Hardware name: Amazon EC2 c5a.8xlarge/, BIOS 1.0 10/16/2017 Call Trace: <TASK> dumpstacklvl+0x73/0xa0 printreport+0x16c/0x4e0 kasanreport+0xc3/0xf0 kasancheckrange+0x2d2/0x310 rawspinlockirqsave+0x60/0xc0 removewaitqueue+0x1a/0xa0 epfree+0x12c/0x170 epeventpollrelease+0x26/0x30 fput+0x202/0x400 taskworkrun+0x11d/0x170 doexit+0x495/0x1130 dogroupexit+0x100/0x100 getsignal+0xd67/0xde0 archdosignalorrestart+0x2a/0x2b0 exittousermodeprepare+0x94/0x100 syscallexittousermode+0x20/0x40 dosyscall64+0x52/0x90 entrySYSCALL64afterhwframe+0x63/0xcd </TASK> Allocated by task 4404: kasansettrack+0x3d/0x60 _kasankmalloc+0x85/0x90 psitriggercreate+0x113/0x3e0 pressurewrite+0x146/0x2e0 cgroupfilewrite+0x11c/0x250 kernfsfopwriteiter+0x186/0x220 vfswrite+0x3d8/0x5c0 ksyswrite+0x90/0x110 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd Freed by task 4407: kasansettrack+0x3d/0x60 kasansavefreeinfo+0x27/0x40 kasanslabfree+0x11d/0x170 slabfreefreelisthook+0x87/0x150 _kmemcachefree+0xcb/0x180 psitriggerdestroy+0x2e8/0x310 cgroupfilerelease+0x4f/0xb0 kernfsdrainopenfiles+0x165/0x1f0 kernfsdrain+0x162/0x1a0 _kernfsremove+0x1fb/0x310 kernfsremovebynamens+0x95/0xe0 cgroupaddrmfiles+0x67f/0x700 cgroupdestroylocked+0x283/0x3c0 cgrouprmdir+0x29/0x100 kernfsioprmdir+0xd1/0x140 vfsrmdir+0xfe/0x240 dormdir+0x13d/0x280 _x64sysrmdir+0x2c/0x30 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x63/0xcd