CVE-2023-53815

Vulnerability

Description The vulnerability resides in the itimer_delete() function in the Linux kernel's posix-timer subsystem. When a timer expires concurrently with a delete operation, the function enters a retry loop that spin-waits for the timer callback to complete. On non-RT kernels, this just burns CPU cycles, but on RT kernels and for certain CPU timers using HAVE_POSIX_CPU_TIMERS_TASK_WORK, the waiting task can be preempted by the task delivering the timer, leading to a livelock where neither task makes progress indefinitely [1][3].

Exploitation

Conditions An attacker would need the ability to cause a concurrent timer expiry and delete operation on the same timer, likely through crafted user-space code that creates and quickly deletes posix timers. On RT kernels, the preemption model makes the livelock more easily triggered. No special privileges beyond the ability to create and delete timers are required, though kernel preemption must be enabled [2].

Impact

Successful exploitation results in a denial of service (DoS) on the affected system, as the livelock prevents the timer from being deleted and blocks progress of the calling task. This can render the system unresponsive or significantly degrade performance. The vulnerability does not allow arbitrary code execution or privilege escalation; it is strictly a DoS issue.

Mitigation

The fix replaces the simple spin_unlock() in the retry loop with a call to timer_wait_running(), which properly sleeps until the timer callback completes, avoiding the livelock. The patch has been applied to the mainline kernel and backported to stable releases [3]. Users should update to a kernel version containing the commit (e.g., commit f9bd298e3e4d). No known workarounds exist beyond applying the patch.