CVE-2023-54139

Vulnerability

CVE-2023-54139 is a vulnerability in the Linux kernel's tracing/user_events functionality. The root cause is a missing validation of the write index passed by user processes during write() system calls. The index, which is the first 4 bytes of the write data, indicates which event the data is destined for and is used to access a per-file array. If a user passes a negative value for this index, the kernel could access memory outside the bounds of the intended array, leading to potential memory corruption or information disclosure [1].

Exploitation

An attacker with the ability to write to a user_events file descriptor can trigger this vulnerability. The attack vector involves crafting a write() call where the first 4 bytes are set the index to a negative integer. No elevated privileges are required beyond the ability to open and write to the relevant tracefs file. The exploit does not require authentication from the attacker beyond the normal file access permissions [1].

Impact

Successful exploitation allows an attacker to read or write kernel memory outside the bounds of the event array. This can lead to arbitrary code execution in kernel context, or information disclosure of sensitive kernel data. The impact is system compromise, including potential privilege escalation and denial of service [1].

Mitigation

The vulnerability is fixed in the Linux kernel by commit 0489c2b2c3104b89f078dbcec8c744dfc157d3e9. This patch adds a check to ensure the write index is not negative, returning -EINVAL if it is. The fix prevents the out-of-bounds access. Users are advised to apply the patch or update to a kernel version containing the fix. The ftrace self-test has also been updated to verify the correct behavior [1].