CVE-2023-54201

Vulnerability

CVE-2023-54201 is a bug in the Linux kernel's RDMA/efa driver related to improper resource deallocation order when destroying Queue Pairs (QP) or Completion Queues (CQ). The driver first decreases the reference count and potentially frees memory regions allocated for the object, and only then requests the device to destroy the object. If the device fails to destroy the object, the object remains partially alive, but the refcount has already been decremented to zero. A subsequent attempt to destroy the same object will decrement an already zeroed refcount, leading to an underflow and potential use-after-free [1][2].

Exploitation

An attacker with local access and the ability to trigger QP or CQ destruction (e.g., via ibv_destroy_qp or ibv_destroy_cq) could exploit this race condition. The vulnerability does not require special privileges beyond those needed to use RDMA resources. The attack surface is limited to systems using the EFA (Elastic Fabric Adapter) driver, which is primarily used in AWS instances for high-performance computing [1][2].

Impact

Successful exploitation could lead to a use-after-free condition, which could lead to memory corruption, denial of service, or potentially privilege escalation. The exact impact depends on the system configuration and the attacker's ability to control the freed memory [1][2].

Mitigation

The fix is to deallocate resources in reverse order of allocation, ensuring that the refcount is only decremented after the device has successfully destroyed the object. The patch has been applied to the Linux kernel stable branches [1][2]. Users should update their kernel to a version containing the fix.