CVE-2023-53826

Vulnerability

Description

In the Linux kernel, the UBI (Unsorted Block Images) subsystem's wear-leveling logic contains a use-after-free (UAF) vulnerability. The flaw resides in the eraseblk_count_seq_show() function, which reads wear-leveling entry data from the ubi->lookuptbl array without proper synchronization. A race condition occurs when wl_entry_destroy() concurrently frees an entry and sets the corresponding array pointer to NULL, while eraseblk_count_seq_show() accesses the same pointer and reads its ec (erase count) field, leading to a UAF read.

The root cause is that both updating/accessing entries in ubi->lookuptbl are not consistently protected by the ubi->wl_lock spinlock. The provided commit [3] fixes this by adding the missing locking in eraseblk_count_seq_show(), ensuring that the teardown path (under wl_lock) completes before the show path traverses the table.

Attack

Surface & Exploitation

Triggering the vulnerability requires the ability to concurrently issue a read of the /sys/kernel/debug/ubi/ubiX/eraseblk_count file (or equivalent debugfs interface) while erase worker error processing is in progress. This is a local race condition that depends on timing; an attacker would need to either have low-level access to the debug filesystem or be able to craft a scenario where an I/O error causes __erase_worker to call wl_entry_destroy. No special privileges beyond those needed to read debugfs files are required, but the race window makes reliable exploitation challenging without specific control over the storage backend.

Impact

A successful race results in a use-after-free read of a slab-allocated ubi_wl_entry structure. While the CVE description labels this as a UAF (read), it can potentially be leveraged for information disclosure or, in a more severe scenario, for memory corruption if the freed memory is reallocated before the read completes. The kernel's memory safety mechanisms may mitigate exploitation on some configurations, but the presence of a plain UAF is a stability and security risk.

Mitigation

Patches have been merged into the mainline Linux kernel and backported to stable branches. The fix remains 9d448dd6bcb6 (and equivalent commits) that adds ubi->wl_lock protection in eraseblk_count_seq_show() [3]. Users should apply the latest stable kernel updates from their distribution. No workaround other than disabling debugfs (which removes the sysfs interface) is available, but that also hinders legitimate debugging.