CVE-2023-52935

In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: fix ->anon_vma race If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b	Patch
https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc6::::::

History

01 Apr 2025, 15:40

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/khugepaged: corrección de la ejecución->anon_vma. Si se adjunta un ->anon_vma al VMA, la función collapse_and_free_pmd() requiere que esté bloqueada. Se permite el recorrido de la tabla de páginas bajo cualquiera de los bloqueos mmap, anon_vma (si el VMA está asociado a un anon_vma) y mapeo (si el VMA está asociado a un mapeo). Por lo tanto, para poder eliminar tablas de páginas, debemos mantener las tres. La función retract_page_tables() se activa si se adjunta un ->anon_vma, pero realiza esta comprobación antes de mantener el bloqueo mmap (como explica el comentario sobre la comprobación). Si fusionamos rápidamente un ->anon_vma existente (compartido con un proceso hijo) de un VMA vecino, los recorridos posteriores de rmap en páginas pertenecientes al hijo podrán ver las tablas de páginas que estamos eliminando simultáneamente, asumiendo que nadie más puede acceder a ellas. Repetir la comprobación de ->anon_vma una vez que mantengamos el bloqueo mmap para garantizar que no haya accesos simultáneos a la tabla de páginas. Este error genera una advertencia de lockdep en el comando breakdown_and_free_pmd(), en la línea "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". También puede provocar accesos de use-after-free.
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.2:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
References	~~() https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b -~~	() https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b - Patch
References	~~() https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128 -~~	() https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128 - Patch
First Time		Linux Linux linux Kernel

28 Mar 2025, 16:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416

27 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-27 17:15

Updated : 2025-04-01 15:40

NVD link : CVE-2023-52935

Mitre link : CVE-2023-52935

CVE.ORG link : CVE-2023-52935

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2023-52935", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-03-27T17:15:43.330", "references": [{"url": "https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix ->anon_vma race\n\nIf an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an ->anon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing ->anon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the ->anon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(&vma->anon_vma->root->rwsem)\". \nIt can also lead to use-after-free access."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/khugepaged: correcci\u00f3n de la ejecuci\u00f3n->anon_vma. Si se adjunta un ->anon_vma al VMA, la funci\u00f3n collapse_and_free_pmd() requiere que est\u00e9 bloqueada. Se permite el recorrido de la tabla de p\u00e1ginas bajo cualquiera de los bloqueos mmap, anon_vma (si el VMA est\u00e1 asociado a un anon_vma) y mapeo (si el VMA est\u00e1 asociado a un mapeo). Por lo tanto, para poder eliminar tablas de p\u00e1ginas, debemos mantener las tres. La funci\u00f3n retract_page_tables() se activa si se adjunta un ->anon_vma, pero realiza esta comprobaci\u00f3n antes de mantener el bloqueo mmap (como explica el comentario sobre la comprobaci\u00f3n). Si fusionamos r\u00e1pidamente un ->anon_vma existente (compartido con un proceso hijo) de un VMA vecino, los recorridos posteriores de rmap en p\u00e1ginas pertenecientes al hijo podr\u00e1n ver las tablas de p\u00e1ginas que estamos eliminando simult\u00e1neamente, asumiendo que nadie m\u00e1s puede acceder a ellas. Repetir la comprobaci\u00f3n de ->anon_vma una vez que mantengamos el bloqueo mmap para garantizar que no haya accesos simult\u00e1neos a la tabla de p\u00e1ginas. Este error genera una advertencia de lockdep en el comando breakdown_and_free_pmd(), en la l\u00ednea \"lockdep_assert_held_write(&vma->anon_vma->root->rwsem)\". Tambi\u00e9n puede provocar accesos de use-after-free."}], "lastModified": "2025-04-01T15:40:32.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF175329-E41D-4B45-8701-7C854D2F3684", "versionEndExcluding": "6.1.11", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

7.8 /10