跳转到帖子

VMware Photon OS: CVE-2023-52609

recommended_posts

发布于
  • Members

VMware Photon OS: CVE-2023-52609

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
03/18/2024
Created
01/21/2025
Added
01/20/2025
Modified
01/20/2025

Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refcount decrement will come from Task A. Task A| Task B ------------------+------------------ mmget_not_zero()| |do_exit() |exit_mm() |mmput() mmput() | exit_mmap() | remove_vma()| fput()| In this case, the work of ____fput() from Task B is queued up in Task A as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup work gets executed. However, Task A instead sleep, waiting for a reply from Task B that never comes (it's dead). This means the binder_deferred_release() is blocked until an unrelated binder event forces Task A to go back to userspace. All the associated death notifications will also be delayed until then. In order to fix this use mmput_async() that will schedule the work in the corresponding mm->async_put_work WQ instead of Task A.

Solution(s)

  • vmware-photon_os_update_tdnf

References

  • https://attackerkb.com/topics/cve-2023-52609
  • CVE - 2023-52609
  • 查看数 703
  • 已创建
  • 最后回复

参与讨论

你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。
注意:你的帖子需要版主批准后才能看到。

游客
回帖…