CVE-2023-54042

The vulnerability is a use-after-free bug in the Virtual Accelerator Switchboard (VAS) implementation for powerpc/64s systems in the Linux kernel. The root cause is that the reference count on the memory management (mm) structure is decremented before the coprocessor is fully detached from it. This leaves a window where the mm could be freed while still being accessed by the VAS hardware, leading to a use-after-free condition.

Exploitation

An attacker with local access and the ability to trigger VAS operations could potentially exploit this condition. The attack surface requires being able to initiate VAS contexts or interact with the accelerator hardware. No authentication beyond local user access is needed, and the attacker must be positioned to influence the timing of VAS detach operations.

Impact

If successfully exploited, an attacker could cause a use-after-free, leading to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context. The vulnerability could compromise system stability and security.

Mitigation

The fix, available in the Linux kernel stable releases, ensures the mm refcount is not dropped until after the coprocessor detachment is complete. Users should update their kernel to the patched version [1][2]. No workaround is mentioned.