Bug 1220936 (CVE-2023-52562) - VUL-0: CVE-2023-52562: kernel: mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()
Summary: VUL-0: CVE-2023-52562: kernel: mm/slab_common: fix slab_caches list corruptio...
Status: RESOLVED FIXED
Alias: CVE-2023-52562
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/396085/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52562:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-05 09:20 UTC by SMASH SMASH
Modified: 2024-06-25 18:16 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-05 09:20:45 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()

After the commit in Fixes:, if a module that created a slab cache does not
release all of its allocated objects before destroying the cache (at rmmod
time), we might end up releasing the kmem_cache object without removing it
from the slab_caches list thus corrupting the list as kmem_cache_destroy()
ignores the return value from shutdown_cache(), which in turn never removes
the kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails
to release all of the cache's slabs.

This is easily observable on a kernel built with CONFIG_DEBUG_LIST=y
as after that ill release the system will immediately trip on list_add,
or list_del, assertions similar to the one shown below as soon as another
kmem_cache gets created, or destroyed:

  [ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)
  [ 1041.219165] ------------[ cut here ]------------
  [ 1041.221517] kernel BUG at lib/list_debug.c:62!
  [ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI
  [ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G    B   W  OE      6.5.0 #15
  [ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
  [ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0

Another quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,
is to set slub_debug to poison the released objects and then just run
cat /proc/slabinfo after removing the module that leaks slab objects,
in which case the kernel will panic:

  [   50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI
  [   50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G    B   W  OE      6.5.0 #15
  [   50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023
  [   50.972663] RIP: 0010:get_slabinfo+0x42/0xf0

This patch fixes this issue by properly checking shutdown_cache()'s
return value before taking the kmem_cache_release() branch.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52562
https://www.cve.org/CVERecord?id=CVE-2023-52562
https://git.kernel.org/stable/c/46a9ea6681907a3be6b6b0d43776dccc62cad6cf
https://git.kernel.org/stable/c/51988be187b041e5355245957b0b9751fa382e0d
https://git.kernel.org/stable/c/a5569bb187521432f509b69dda7d29f78b2d38b0
https://bugzilla.redhat.com/show_bug.cgi?id=2267737
Comment 1 Gabriele Sonnu 2024-03-05 13:38:44 UTC 
Affected branches already contain the fix. @kernel-team, please add the CVE reference.
Comment 10 Oscar Salvador 2024-04-15 20:18:45 UTC 
References were already updated.
Back to sec-team.
Comment 17 Gabriele Sonnu 2024-06-12 11:57:44 UTC 
All done, closing.