CVE-2023-52438

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-52438
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52438.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52438
Downstream
Published
2024-02-20T18:34:48.694Z
Modified
2026-05-15T11:53:11.315419325Z
Summary
binder: fix use-after-free in shinker's callback
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in shinker's callback

The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated.

I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF:

================================================================== BUG: KASAN: slab-use-after-free in zappagerange_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478

CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zappagerangesingle+0x470/0x4b8 binderallocfreepage+0x608/0xadc __listlruwalk_one+0x130/0x3b0 listlruwalknode+0xc4/0x22c bindershrinkscan+0x108/0x1dc shrinkerdebugfsscanwrite+0x2b4/0x500 fullproxywrite+0xd4/0x140 vfswrite+0x1ac/0x758 ksyswrite+0xf0/0x1dc __arm64syswrite+0x6c/0x9c

Allocated by task 492: kmemcachealloc+0x130/0x368 vmareaalloc+0x2c/0x190 mmapregion+0x258/0x18bc dommap+0x694/0xa60 vmmmappgoff+0x170/0x29c ksysmmappgoff+0x290/0x3a0 __arm64sysmmap+0xcc/0x144

Freed by task 491: kmemcachefree+0x17c/0x3c8 vmareafreercucb+0x74/0x98 rcucore+0xa38/0x26d4 rcucore_si+0x10/0x1c _dosoftirq+0x2fc/0xd24

Last potentially related work creation: __callrcucommon.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vmareafree+0x18/0x24 removevma+0xe4/0x118 dovmialignmunmap.isra.0+0x718/0xb5c dovmimunmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64sysmunmap+0x58/0x7c

Fix this issue by performing instead a vmalookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmapwrite_trylock() has been recently removed anyway.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52438.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.268
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.209
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.148
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.74
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.13
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52438.json"