CVE-2023-52707 Overview
CVE-2023-52707 is a use-after-free vulnerability in the Linux kernel's scheduler pressure stall information (PSI) subsystem. The flaw exists in the ep_remove_wait_queue() function and can be triggered when a non-root cgroup is removed while a thread is actively polling on a pressure file within that cgroup. This race condition leads to the polling waitqueue being freed prematurely while the polling thread still holds a reference, resulting in memory corruption when the thread attempts to access the freed waitqueue.
Critical Impact
Local attackers with the ability to manipulate cgroups and polling operations can exploit this use-after-free vulnerability to potentially achieve privilege escalation, cause system crashes, or execute arbitrary code in kernel context.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.2 RC1 through RC8
- Multiple stable kernel branches requiring backported patches
Discovery Timeline
- 2024-05-21 - CVE CVE-2023-52707 published to NVD
- 2025-01-06 - Last updated in NVD database
Technical Details for CVE-2023-52707
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption flaw that occurs when freed memory is subsequently accessed. The issue arises from a fundamental design problem where cgroup_file_release() and the waitqueue's lifetime are not properly tied to the file's actual lifetime.
When a cgroup is removed via rmdir, the kernel triggers a chain of functions (cgroup_rmdir → kernfs_drain_open_files → cgroup_file_release → cgroup_pressure_release → psi_trigger_destroy) that frees the polling waitqueue. However, if a thread is still polling on the pressure file, it maintains a reference and will attempt to access the now-freed waitqueue when the file is closed or upon exit through the path: fput → ep_eventpoll_release → ep_free → ep_remove_wait_queue → remove_wait_queue.
The KASAN (Kernel Address Sanitizer) reports show a "Write of size 4" to freed memory during _raw_spin_lock_irqsave, confirming the use-after-free condition when acquiring the spinlock on the freed waitqueue structure.
Root Cause
The fundamental root cause is a lifetime management issue between cgroup file operations and the underlying waitqueue structures. Specifically, cgroup_file_release() frees resources that may still be referenced by active polling threads. The waitqueue gets deallocated in psi_trigger_destroy() before all file references have been closed, creating a dangling pointer scenario.
The kernel allocates the trigger structure in psi_trigger_create() during pressure_write(), but the corresponding free operation in psi_trigger_destroy() is triggered by cgroup removal rather than being tied to the file descriptor's lifecycle. This disconnect allows the polling thread to hold a stale reference to freed memory.
Attack Vector
The attack requires local access and the ability to manipulate cgroups and polling operations. The exploitation scenario involves:
- Creating a non-root cgroup and registering a PSI trigger on a pressure file
- Starting a thread that polls on the pressure file using epoll
- Removing the cgroup directory while the polling thread is active
- The race condition causes the waitqueue to be freed while still in use
- When the polling thread closes the file or exits, it accesses freed memory
The vulnerability manifests in the interaction between cgroup removal and epoll polling operations. When do_rmdir is called on a cgroup directory, the kernel initiates cleanup through cgroup_rmdir(), which drains open files and releases pressure monitoring resources. The polling thread, unaware of this cleanup, continues to hold a reference to the now-freed waitqueue structure. Upon the thread's exit or file closure, ep_remove_wait_queue() attempts to manipulate the freed waitqueue, triggering the use-after-free condition.
The fix implements wake_up_pollfree() to properly synchronize waitqueue cleanup with active polling operations, ensuring all polling threads are notified before the waitqueue is freed.
Detection Methods for CVE-2023-52707
Indicators of Compromise
- KASAN reports indicating use-after-free in _raw_spin_lock_irqsave() or remove_wait_queue() functions
- Kernel oops or panics with call traces involving ep_free, ep_remove_wait_queue, or psi_trigger_destroy
- Unexpected system crashes when removing cgroups with active PSI polling threads
- Memory corruption symptoms in kernel logs related to sched/psi subsystem
Detection Strategies
- Deploy kernel builds with KASAN enabled in test environments to detect memory corruption during cgroup operations
- Monitor kernel logs for KASAN warnings containing references to psi_trigger, ep_remove_wait_queue, or cgroup_pressure_release
- Implement runtime integrity monitoring for cgroup operations involving pressure stall information files
- Use kernel tracing tools to monitor interactions between epoll and cgroup file operations
Monitoring Recommendations
- Enable kernel memory debugging options (KASAN, KMEMLEAK) in development and staging environments
- Set up alerting for kernel panic events with stack traces containing PSI or cgroup-related functions
- Monitor for unusual patterns of cgroup creation/deletion combined with epoll operations
- Audit systems for applications that register PSI triggers and perform cgroup management simultaneously
How to Mitigate CVE-2023-52707
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix
- Review and audit any custom applications that combine cgroup management with PSI polling
- Consider restricting cgroup removal operations in production environments until patches are applied
- Enable kernel memory protection features where available
Patch Information
The vulnerability has been fixed in multiple stable kernel branches. The fix implements proper synchronization using wake_up_pollfree() to ensure polling threads are notified before waitqueue cleanup, aligning with the approach established in commit 42288cb44c4b ("wait: add wake_up_pollfree()").
Patches are available through the following kernel commits:
- Kernel Commit 7caeb5457bd0
- Kernel Commit c2dbe32d5db5
- Kernel Commit c6879a4dcefe
- Kernel Commit cca2b3feb701
- Kernel Commit ec9c7aa08819
Workarounds
- Avoid removing cgroups while applications are actively polling PSI pressure files
- Implement application-level coordination to ensure polling threads close file descriptors before cgroup removal
- Use cgroup v2 freezer to quiesce cgroup activity before removal operations
- Consider disabling PSI monitoring on systems where cgroup lifecycle management is frequent and unpredictable
# Verify kernel version includes the fix
uname -r
# Check if PSI is enabled
cat /proc/pressure/cpu
# Monitor for KASAN warnings related to PSI
dmesg | grep -E "(KASAN|psi_trigger|ep_remove_wait_queue)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
