CVE-2023-54088

Vulnerability

Description

The vulnerability resides in the Linux kernel's block cgroup (blk-cgroup) implementation. When a block group (blkg) is removed from the queue's blkg list via blkg_free_workfn(), the function fails to hold the queue_lock. This missing lock can lead to concurrent modification of the linked list, resulting in list corruption or hard lockups when blkg_destroy_all() iterates over the same list.

Exploitation

Scenario

Exploitation requires local access to the system and the ability to trigger the blkg removal path. Since blkg_free_workfn() runs in a workqueue context, an attacker with sufficient privileges (or ability to cause blkg destruction) can induce a race condition. The lack of locking means that simultaneous operations on the blkg list may corrupt kernel memory, leading to a denial-of-service condition (lockup) or potentially more severe consequences.

Impact

An attacker exploiting this flaw can cause a system crash (hard lockup) or memory corruption, resulting in denial of service. Given the nature of the bug (missing lock), it is unlikely to directly lead to privilege escalation, but it can destabilize the system.

Mitigation

The fix is included in Linux kernel stable updates. Users should apply the latest stable kernel patches. The commits referenced ([1], [2]) add the missing queue_lock acquisition in blkg_free_workfn(). No workarounds are available; updating the kernel is the recommended action.