CVE-2023-53997

Vulnerability

Overview

In the Linux kernel, a double-free vulnerability exists in the thermal subsystem's device registration and unregistration path. The issue stems from commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure"), which modified thermal_zone_device_register() to allocate a copy of the tzp (thermal zone parameters) argument and free that copy upon unregistration. However, thermal_of_zone_register() was not updated accordingly, causing it to leak its original tzp allocation and then double-free the copy made by the core function [1].

Exploitation and

Impact

An attacker with the ability to trigger thermal zone registration and unregistration (e.g., through device hotplug or module loading) could exploit this double-free to corrupt kernel memory. The double-free can lead to use-after-free conditions, potentially allowing privilege escalation or denial of service. No authentication is required if the attacker can control the thermal device lifecycle from userspace or through hardware events [1].

Mitigation

The fix, committed in kernel stable tree, moves the tzp variable to the stack in thermal_of_zone_register() to avoid the double allocation and subsequent double-free. Users should apply the patch from the stable kernel repository [1]. No workaround is available; updating the kernel is recommended.