CVE-2023-53867

A use-after-free vulnerability exists in the Linux kernel's Ceph filesystem implementation, specifically in the ceph_iterate_session_caps() function. When trimming caps, the code releases the session->s_cap_lock mutex to allow other threads to proceed. However, during the window after the lock is released and before the code re-acquires ci->i_ceph_lock, a concurrent thread may remove the cap (e.g., by unmounting or another trimming operation). The callbacks then use the stale cap memory, leading to a use-after-free condition [1].

The attack surface is local; a user with the ability to mount a Ceph filesystem and trigger cap trimming operations can exploit the race condition. No special privileges on the Ceph cluster are required beyond normal filesystem access, but the attacker must be able to trigger the race window by manipulating cap management, typically through file operations or memory pressure [1].

An attacker successfully exploiting this bug can cause a kernel crash (denial of service) or potentially escalate privileges, as use-after-free in kernel memory may be leveraged for arbitrary code execution. The corruption occurs in kernel slab caches, which may allow overwriting sensitive structures [1].

The issue is fixed in the Linux kernel by a commit (stable tree) that adds a check for the cap's existence after acquiring ci->i_ceph_lock in the loop, ensuring that stale caps are skipped. Users should apply the kernel update to their distributions. There is no workaround short of avoiding Ceph mounts or limiting concurrent cap-trimming operations [1].