CVE-2023-54046

Root

Cause The vulnerability resides in the Linux kernel's crypto essiv module, where the essiv_skcipher_crypt function incorrectly handles return values from the underlying cipher. Specifically, it only treats EINPROGRESS as a special case, freeing associated data for all other return values. However, when the caller specifies MAY_BACKLOG, the kernel can return EBUSY for backlogged requests. Because EBUSY is not treated like EINPROGRESS, the data is freed prematurely, leading to a use-after-free condition [1][2][3].

Exploitation

An attacker must be able to submit crypto requests through the kernel's crypto API with the MAY_BACKLOG flag set and trigger the essiv module. This typically requires local access to the system, as the crypto subsystem is accessible to unprivileged users via interfaces like AF_ALG or certain device drivers. The attacker does not need authentication beyond local user privileges [1].

Impact

A successful exploit allows an attacker to cause a use-after-free on kernel memory, which can be leveraged for local privilege escalation or denial of service (system crash). The use-after-free corrupts kernel structures, potentially enabling arbitrary code execution with kernel privileges [1][2].

Mitigation

The vulnerability is fixed in Linux kernel stable releases by patches that add proper handling for the EBUSY return code in the essiv module [1][2][3]. Users should apply the latest kernel updates from their distribution or compile a patched kernel. No workarounds are known.