CVE-2023-54146

Vulnerability

Analysis

A double-free vulnerability exists in the Linux kernel's kexec code for the x86 architecture. In the function crash_load_segments(), after commit b3e34a47f989 introduced memory cleanup via kimage_file_post_load_cleanup(), an extra vfree(image->elf_headers) call remained in the error path. This can cause the elf_headers buffer to be freed twice: once in that error path and again during the normal cleanup in kimage_file_post_load_cleanup(). [1][2]

Exploitation

To trigger the bug, an attacker would need to cause crash_load_segments() to fail (e.g., by providing a malformed kexec image or triggering an allocation failure). This requires the ability to call the kexec_load() system call, which normally requires CAP_SYS_BOOT or root privileges. No user interaction is needed beyond the malicious syscall.

Impact

A double-free in kernel memory management can lead to memory corruption, potentially allowing an attacker to escalate privileges or cause a denial of service (system crash). The vulnerability is serious because it can corrupt kernel heap allocator metadata.

Mitigation

The fix removes the redundant vfree() call in the error path of crash_load_segments(). The patch is available in the stable kernel trees and should be applied to affected versions. [1][2]